-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WorkloadIdentityBinding operator #3456
WorkloadIdentityBinding operator #3456
Conversation
A few high-level comments, more-or-less documenting what we discussed in person:
|
373ec2a
to
148beef
Compare
Setting up a pattern for more controllers, and adding a simple one to help with setting up WorkloadIdentityBinding.
148beef
to
e71c5ce
Compare
Thanks @johnbelamaric!
Good idea - I'll add in a follow-on PR, as we don't want this to hold up the other PRs that build on it.
Good plan also, although WorkloadIdentity is a actually a GCP name, other clouds use different terms. It's alpha so I think we can iterate here.
In this case, we need the identity-namespace/project-id that we're running in. That's not a piece of information that is really part of the package, it's more part of the deployment environment. I'm experimenting with building these packages, and this one really helps us out. Elsewhere I've been able to use a function. If we find we need to plumb through the identity namespace for other reasons, then I think this could well be a function. I actually suspect that this ends up in KCC (or a KCC-adjacent project), because really we're trying to make the KRM schema a lot more regular, vs encoding a lot of information in a "magic" pseudo-ServiceAccount name.
It is generic in terms of binding Kubernetes ServiceAccounts to GCP ServiceAccounts. It should run wherever the KSA is configured. I suspect in most cases KCC is running in the same cluster, configuring the GCP ServiceAccount, but this isn't required. (But, if something else is provisioning the GCP SA, probably that thing is a good candidate for configuring the KSA -> GCP SA IAM association). |
The deployment environment is known at the time of package configuration. For example we could annotate the deployment repo with this project ID. Or associate a “ClusterDemographics” or “ClusterGCPContext” resource with a repo. This is effectively what I did in the Nephio controller PoC with a CluaterScaleProfile. |
Any ETA for the Porch release that will include this operator? |
Follow up. This is the point of this bullet in #3396:
This function would have to run in the package that owns the KSA of course. |
Setting up a pattern for more controllers, and adding a simple one to help with setting up WorkloadIdentityBinding.
WIP, for discussion cc @mortent