Complimentary Gartner® Report! 'A CTO's Guide to Open-Source Software: Answering the Top 10 FAQs.'Read more

GKE Workload Identity

Google Cloud supports mapping Kubernetes service accounts to Google Cloud IAM service accounts using a feature called Workload Identity Federation.

Objective

BindPlane requires access to Google Pub/Sub when operating in High Availability using a multi-replica Deployment.

BindPlane can authenticate to Pub/Sub using OAuth Scopes or with Workload Identity Federation. This guide will focus on how to configure workload identity.

Prerequisites

You must have access to a Google Kubernetes Engine cluster with workload identity enabled. GKE Autopilot has workload identity enabled by default.

Configuration

Review the Configure applications to use Workload Identity Federation for GKE instructions.

If you deploy BindPlane to a cluster without the Pub/Sub OAUTH scopes, you can expect to see the following error logs:

json
1{
2  "level":"error",
3  "timestamp":"2024-04-25T18:49:15.243Z",
4  "message":"failed to build server during server startup",
5  "error":"failed to init eventbus: create topic: check topic: rpc error: code = PermissionDenied desc = User not authorized to perform this action."
6}

This is because the Kubernetes service account has not been mapped to IAM.

Kubernetes Service Account

The BindPlane OP Helm Chart creates service accounts for you. The name of the service account is derived from the name of your Helm deployment.

You can find your service account with kubectl -n <namespace> get sa.

bash
1$ kubectl -n default get sa 
2
3NAME        SECRETS   AGE
4bindplane   0         12m
5default     0         19m
bash
1$ kubectl -n default get sa bindplane -o yaml
2
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6  annotations:
7    meta.helm.sh/release-name: bindplane
8    meta.helm.sh/release-namespace: default
9  labels:
10    app.kubernetes.io/instance: bindplane
11    app.kubernetes.io/managed-by: Helm
12    app.kubernetes.io/name: bindplane
13    app.kubernetes.io/stack: bindplane
14  name: bindplane
15  namespace: default

All pods deployed by the Helm chart will use this service account.

IAM Mapping

Step 4 in Configure applications to use Workload Identity Federation for GKE instructs you to create an IAM policy binding that binds the Kubernetes service account to your project's IAM.

bash
1gcloud projects add-iam-policy-binding projects/PROJECT_ID \
2    --role=roles/pubsub.admin \
3    --member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KSA_NAME \
4    --condition=None

Restart BindPlane

If you previously deployed BindPlane, and the pods are crashing due to Pub/Sub permission errors, restart the pods by deleting them or using the kubectl rollout restart command.

Once the new pods are started, they will not return Pub/Sub errors if the workload identity mapping was successful.

Resources