Use Case k8s Allowed Network Policy workload identity GCP

Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)

Namespace: uc-workload-identity

We will use pubsub topic ACL’s to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace ‘appconfigmgrv2-system’. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google API’s.

gsutil cat  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-workload-identity/deploy-apps.yaml | kubectl apply -f -

*NOTE - will document vault in wiki

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq

Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work

curl "http://$INGRESS_NO_ISTIO_HOST/testcallseq?call1=http://workload-identity-pubsub-app.uc-workload-identity:8000?gcpProjectID=$PROJECT_NAME&topic=workload-identity-topic&message=hello"

gcloud pubsub subscriptions pull --auto-ack  workload-identity-topic --page-size 20 --limit 20 --project $PROJECT_NAME

host:hello-app-drv-py-1-677775646f-b8gm5
Publish Success: 776104906071903
┌────────┬─────────────────┬────────────┐
│  DATA  │    MESSAGE_ID   │ ATTRIBUTES │
├────────┼─────────────────┼────────────┤
│ hello1 │ 608858688012712 │            │
└────────┴─────────────────┴────────────┘

Navigate

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use Case k8s Allowed Network Policy workload identity GCP

Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work

Clone this wiki locally