-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to configure serviceaccountPath with istioctl and istio 1.5 for stackdriver #22658
Comments
i believe you can do this:
this is terraform, but you can translate:
taken from: banzaicloud/istio-operator#284 |
If you are using mixer, you'll need to mount the file in the But I strongly suggest using v2 telemetry with stackdriver integration. As this is not a bug, i'm closing. Please use the forums for further investigation. |
@douglas-reid could you please link to where it is documented to configure v2 telemetry with Stackdriver and a GSA |
@bianpengyuan do we have any good docs on using service account creds with Stackdriver? |
This link provides some more discussion in to our specific issue: We can get the stackdriver envoy filter working if we manually grant access to a GSA with the right credentials, then associate that to the default KSA in the namespace i.e.:
However, there's no nice way for us to do this programatically for every namespace where we have envoy sidecars (and then keep it up-to-date as new ones get created / etc.) I don't have a great solution in mind, thinking out loud: perhaps a way for Istio to create the We're going to investigate an in-mesh prometheus -> stackdriver approach instead, but it would be great to use the envoy filter as it definitely works, just don't have a way for it to authenticate when the cluster is using Workload Identity |
Currently we don't have a way to read mounted cert in stackdriver filter. It might be feasible though to expose that as an option in both stackdriver filter configuration and istioctl. Although IMHO using workload identity is strictly better than managing the cert file yourself. Not sure if there is any gitops tools out there or Google provides to ease the pain. |
With Mixer our solution was placing a That was another option we've considered:
|
It appears that the Workload Identities and even KSAs can be created through terraform, so that might be a solution: Still feels quite roundabout, though, I wonder how common our use case is -- it may become more common for those wishing to go directly to Stackdriver from envoy as Google is now recommending Workload Identity over any other options. |
Mounting into each pod definitely is a bit clunky, but is at least somewhat doable. You'd have to set the appropriate env var in each pod too. We probably need a more general approach to creds distribution for extensions in general. @mandarjog @kyessenov has there been any thoughts of how to support creds via extensions API, etc.? Is the working suggestion to bundle ? |
A colleague of mine just had a brilliant idea, building on the 'manage in terraform' solution, which is to use Config Connector to set up the KSA/GSAs. This keeps everything in k8s manifests, at least. It's quite a specific solution to the "Stackdriver on GCP" usecase, so we might still want to think about creds in general, but it might be nice for this specific case. I'll give that a go in the next couple of days and report back on how it goes. |
So this actually works pretty great. This is what I added to the namespace:
The only thing that's a little bit askew here is having to modify the |
Yes |
Ah fantastic, thanks @bianpengyuan 🙏 We'll probably suffice with using the same KSA as the application container, though I suppose for the best security one would want a specific KSA for the stackdriver telemetry, which may differ to the KSA we use for the application pod itself. I wonder if there's a neat way to configure which KSA the |
afaik The finest granularity of workload identity if per pod. You'd either need to run proxy outside application pod using Sidecar API, or adopt anthos service mesh https://cloud.google.com/anthos/service-mesh, which includes a solution to exchange anthos service mesh gcp service access token at sidecar, which would make separated access control possible. |
We are also using Config Connector to quickly provision GSA's to every Pod. It is not very elegant though. @bianpengyuan I wonder how ASM does this and whether it is possible to implement the same functionality to OSS Istio. |
@cagataygurturk ASM solve this by exchanging a specialized access token with trust worthy jwt token, which has metric write permission. It is not open to OSS users. |
This is not a bug report. I can't find any documentations anywhere on how to correctly mount in serviceAccount file for istio 1.5. So I want to put an issue here to ask how.
I can see the configuration flag
serviceAccountPath
in the mixer configurations I don't know how the serviceAccount file will be mounted in the istiod pod.Reference: https://discuss.istio.io/t/configure-istio-1-5-mixer-with-gcloud-stackdriver-backend/5907
The text was updated successfully, but these errors were encountered: