- Container images for
token-injector-webhook,token-injectortool andcertificatortool (see separate repository) should be built and uploaded to the Container Registry accessible from GKE cluster. - Export AWS credentials into environment variables
export AWS_ACCESS_KEY_ID="aws-access-key-id"
export AWS_SECRET_ACCESS_KEY="aws-secret-access-key"
export AWS_REGION="us-east-1"- Login to gcp
gcloud auth application-default login- GKE cluster with Workload Identity enabled. For this, you can use Terraform code, as shown below.
rm terraform/webhook.tfcd terraform
terraform init
terraform plan
terraform applygcloud container clusters get-credentials ${GKE_CLUSTER_NAME} --region ${GCP_REGION} --project ${PROJECT_ID}For example:
gcloud container clusters get-credentials regional-cluster-test --region us-west1 --project ylebi-rndcd ../helm-charthelm upgrade --install admission-webhook-v1 . --values values.yaml --set apiserverCABundle=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}') --namespace webhook- Create a k8s Pod configuration as shown below:
cat > test-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: "application-namespace"
labels:
admission.token-injector/enabled: "true"
spec:
serviceAccountName: "aws-reader-sa"
containers:
- name: test-pod
image: mikesir87/aws-cli
command: ["tail", "-f", "/dev/null"]
EOF- Apply pod configuration from YAML file:
kubectl apply -f test-pod.yaml- Connect to the running k8s Pod:
kubectl exec -it test-pod -n application-namespace -- bash- Run the following command in the Pod shell to check the AWS assumed role:
aws sts get-caller-identityThe output should look similar to the below:
{
"UserId": "AROAXXPBSFGLKUDFGHT7Q:token-injector-webhook-luwkompqhfewtygb",
"Account": "531438381462",
"Arn": "arn:aws:sts::531438381462:assumed-role/gke-reader-role/token-injector-webhook-luwkompqhfewtygb"
}