New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support gcp workload identity federation #359
Support gcp workload identity federation #359
Conversation
Codecov Report
@@ Coverage Diff @@
## master #359 +/- ##
=======================================
Coverage 46.03% 46.03%
=======================================
Files 74 74
Lines 7751 7751
=======================================
Hits 3568 3568
Misses 3692 3692
Partials 491 491 |
44113d3
to
7297380
Compare
/test verify |
For enabling short-lived credentials in gcp cluster using workload identity, we need ccoctl tool to know the kubernetes service account names from the credentials request manifest so that it can create gcp service accounts that can be impersonated only by specific kubernetes service accounts.
7297380
to
0b8fff7
Compare
@joelddiaz this looks good for a quick review |
/test e2e-gcp |
serviceAccountNames: | ||
- cloud-credential-operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming this is more of an example of the kinds of changes that need to be made across the various repos, and CCO - as presently written - will not actually make use of these creds when in Manual mode. Correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thats right
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akhil-rane, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
To enable short-lived credentials in gcp cluster using workload identity
federation, we need to make following set of changes
which can be used by ccoctl tool to create gcp service accounts with
limited access
ref: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
x-ref: https://issues.redhat.com/browse/CCO-105