Workload Identity

1. Workload Identity

GKE Workload Identity simplifies how containerized applications access Google Cloud services. Instead of managing service account keys in a GKE environment, containers can directly authenticate by using their dedicated credentials. This enhances security and streamlines access control for deployments. So, how do you use the Workload Identity feature? When you enable Workload Identity on the first cluster in a Project, GKE automatically creates the pool by using the format "PROJECT_ID.svc.id.goog". Any new node pools that you create have Workload Identity enabled by default. Containers deployed to those node pools are then able to use its service account credentials to authenticate to Google Cloud services, either through the Google Cloud Command Line Interface or by using the Application Default Credentials library. To use Workload Identity on individual node pools, it must first be activated at the cluster level. It’s useful to know that Autopilot clusters enable Workload Identity by default. A couple of commands are available to enable Workload Identity on clusters. The first is the gcloud container clusters create command, which can be used to enable Workload Identity on a new standard cluster. And second, there is the gcloud container clusters update command, which can be used to enable Workload Identity on an existing standard cluster. Before you migrate any applications to use Workload Identity, it’s a best practice to create a new node pool. After Workload Identity is enabled, you need to configure your applications to authenticate to Google Cloud using Workload Identity. You need to assign a Kubernetes service account to the application, and then configure that Kubernetes service account to act as an IAM service account. Now let’s explore the steps involved in configuring an application to use Workload Identity. The first step is to create a new namespace to use for the Kubernetes service account. You can use the kubectl create namespace command. Next you need to create a new Kubernetes service account for your application to use, as opposed to using an existing Kubernetes service account in any namespace, including the default service account. To accomplish this, use the kubectl create serviceaccount command. From there, create an IAM allow policy that references the Kubernetes ServiceAccount. To do this, use the add-iam-policy-binding gcloud command. You can use any IAM service account in any project in your organization. Be sure to grant permission to the specific Google Cloud resources that your application needs to access. The next step is to grant the required roles to the Service Account. For example, the role of Storage Object Viewer. And finally, add the name of the Service Account and identify which specific nodes the Pod should be scheduled to run on. This can be applied to your cluster by using a kubectl apply command.

2. Let's practice!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.

Architecting with Google Kubernetes Engine: Production

IntermediateSkill Level

5.0+

1 reviews

In this introduction, you'll explore the course goals and preview each section.

Exercise 1: Production Course introduction

The course closes with a summary of the key points covered in each section.

Exercise 1: Course summary