workload-identity

module

v0.0.0-...-fc60df6 Latest Latest Go to latest Published: Jan 6, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Harwayne/workload-identity

Links

Open Source Insights

README ¶

Use this tool to help diagnose problems with GKE workload identity.

Build

go build -o diagnose-wi cmd/diagnose-wi/main.go

Usage

Prerequisites

Make sure kubectl is pointed at the correct GKE cluster.
Make sure gcloud is setup and has authentication sufficient to get IAM policies.

Examples

Check the agent KSA in the my-ns namespace.

diagnose-wi -ns my-ns -ksa agent

Check the KSA being used by Pod my-pod in the my-ns namespace.

diagnose-wi -ns my-ns -pod my-pod

Check the agent KSA in the my-ns namespace with permissions on the GCP project other-project.

diagnose-wi -ns my-ns -ksa agent -project other-project

Common permission issues

KSA does not have permission on the GSA

Pod "agent-8948bd7b-vz5wp" uses KSA "agent", which links to GSA "[email protected]", but that GSA does not grant access to the KSA

gcloud iam service-accounts add-iam-policy-binding \
  --project "${PROJECT}" \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJECT}.svc.id.goog[${NAMESPACE}/${KSA}]" \
  "${GSA}"

Directories ¶

Path	Synopsis
cmd
diagnose-wi

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL