A helper package for case-by-case support tooling for GKE.
Today, Google Cloud has two services providing similar functionality allowing external identity providers to authenticate in order for users to access a GKE cluster:
We are encouraging our users to move to Workforce Identity Federation as a holistic solution for your Google Cloud deployments, with a unified product approach.
Use gke-identity-service-migrator to identify federated users and groups for RoleBindings and ClusterRoleBindings, and translate them to the Workforce Identity Federation syntax. Be sure to test on a non-production cluster to confirm intended behaviour.
We encourage the following prerequisite steps are completed prior to the migration steps:
- Confirm your external identity provider is set up
- Confirm the existing Identity Service for GKE configuration.
Once the prerequisites are completed, migrate your Identity Service for GKE to Google Cloud Workforce Identity Federation with the following steps:
- Configure and test Google Cloud Workforce Identity Federation
- Install gke-identity-service-migrator migration tooling:
go install github.com/GoogleCloudPlatform/gke-utilities/cmd/gke-identity-service-migrator@latest
- Use gke-identity-service-migrator to identify RoleBindings and ClusterRoleBindings that refer to federated users and groups
- Use gke-identity-service-migrator to create transformed copies of RoleBindings and ClusterRoleBindings with Workforce Identity Federation syntax
- Apply the translated configs to your cluster
- Test user access when logged in via Workforce Identity Federation
- Clean up old RoleBinding and ClusterRoleBinding objects
- Disable Identity Service for GKE.
For more details on the migration guide, please contact your Google team.
If you encounter any issues with the tool, please raise a GitHub issue for this repo.