kubernetes/kops

Feature - Support GCP IAM Roles for Service Accounts

Open

#14,695 opened on Nov 30, 2022

View on GitHub
 (4 comments) (3 reactions) (1 assignee)Go (14,270 stars) (4,389 forks)batch import
area/provider/gcphelp wantedkind/feature

Description

/kind feature

1. Describe IN DETAIL the feature/behavior/change you would like to see. GCP has support for IAM Roles using K8s service accounts, and I think it would be great if kOps could handle configuring this automatically. GKE Workload Identity docs.

kOps already supports AWS IAM Roles for service accounts docs. Example of kOps cluster spec stanza:

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: s3://publicly-readable-store
    enableAWSOIDCProvider: true

Ideally, I would define a similar stanza for serviceAccountIssuerDiscovery but with GCP specific values

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: gs://publicly-readable-store
    enableGCPOIDCProvider: true

I've also found gcp-workload-identity-federation-webhook which does the same things as amazon-eks-pod-identity-webhook. Maybe kOps can add that to addons as well.

FR for AWS IAM Role for Service accounts - https://github.com/kubernetes/kops/issues/8264

2. Feel free to provide a design supporting your feature request.

Contributor guide

Tech stack
gogcp
Domain
backendcloudsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Knowledge of kOpsGCP IAMKubernetes service accounts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
This issue requests GCP IAM Roles for service accounts, similar to the existing AWS IRSA feature. The current implementation is in the `serviceAccountIssuerDiscovery` config. To start, examine the AWS IRSA code in kOps (e.g., `pkg/...` related to service account discovery). The linked GKE Workload Identity docs and the gcp workload identity federation webhook repository provide reference implementations. The assignee may already have a design in mind; check comments for any updates. The scope involves adding a GCP OIDC provider and potentially a webhook addon.
Feature - Support GCP IAM Roles for Service Accounts · kubernetes/kops#14695 | Good First Issue