Skip to content

A tool to analyze a workload running in GKE and make sure that Workload Identity is configured properly

License

Notifications You must be signed in to change notification settings

doitintl/workload-identity-analyzer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GKE Workload Identity Analyzer

This script takes a Pod name (running in the current context) and performs checks to ensure that Workload Identity is properly configured.

Performed checks

  • Workload Identity enabled on the GKE cluster
  • Pod has .spec.serviceAccountName configured
  • KSA (configured in previous step) exists
  • KSA is annotated correctly with a GSA
  • GSA (configured in previous step) exists in the project
  • KSA has roles/iam.workloadIdentityUser on the GSA
  • GSA IAM roles in the project

Supported Versions

Prerequisites

  • gcloud cli installed and configured
  • Application Default Credentials generated using gcloud
  • kubectl installed and configured with cluster access
  • current kubectl context pointing to the relevant cluster
  • python 3 and pip installed
  • if running from source, python requirements installed: pip install -r requirements.txt

Installation

This package is published to PyPI and can be installed using pip:

pip install wi-analyzer

Necessary project access

The script can be run by a user with the Viewer role in the project.

Alternatively, the user will need enough GKE cluster access to read Pods and ServiceAccounts, plus the following IAM permissions:

  • container.clusters.get
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • resourcemanager.projects.getIamPolicy

If the GSA is in a different GCP project than the GKE cluster, you'll need the last 3 permissions on that project instead.

Using the tool

$ wi-analyzer --help
usage: wi-analyzer [-h] [-n NAMESPACE] [-d] pod

GKE Workload Identity Analyzer

positional arguments:
  pod                   Kubernetes Pod name to check

options:
  -h, --help            show this help message and exit
  -n NAMESPACE, --namespace NAMESPACE
                        Kubernetes Namespace to run in
  -p PROJECT, --project PROJECT
                        GCP Project holding the cluster
  -l LOCATION, --location LOCATION
                        The GCP location of the cluster
  -c CLUSTER, --cluster CLUSTER
                        The name of the cluster
  -d, --debug           Enable debug logging

Configure your current context to point at the cluster where the workload is running. Either configure the relevant namespace for the current context or pass the namespace name using the -n flag.

Pass a pod name to check - it can be part of a Deployment, Job, StatefulSet, etc, but it has to be running already.

TODO

About

A tool to analyze a workload running in GKE and make sure that Workload Identity is configured properly

Resources

License

Stars

Watchers

Forks

Packages

No packages published