Name: gke-serviceaccounts-initializer
Owner: Google Cloud Platform
Description: [EXPERIMENTAL] Configure Pods with Google Cloud Service Accounts via an annotation.
Created: 2017-10-17 19:22:55.0
Updated: 2018-03-21 19:28:40.0
Pushed: 2017-11-29 19:17:16.0
Size: 40
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
:warning: This is pre-release software. Do not use it for production purposes.
This add-on injects Google Cloud Service Accounts credentials, which are previously imported to the cluster as Secrets, to Pods running on Container Engine.
Install this initializer to your cluster and add the following annotation to metadata.annotations field of your Pod template or specification:
tations:
m.cloud.google.com/service-account: "[SECRET-NAME]"
Create an alpha cluster on [GKE] (Initializers feature is not beta until v1.9):
gcloud container clusters create test-cluster \
--enable-kubernetes-alpha
Clone this repository, and deploy the initializer to kube-system
namespace:
ctl apply -f kube/
oyment "gke-serviceaccounts-initializer" created
ializerconfiguration "gke-serviceaccounts" created
Import a fake service account file as a Secret named foo
:
kubectl create secret generic foo --from-literal=key.json=I_AM_FAKE
Next, create a Deployment that specified the annotation in the Pod spec:
ersion: apps/v1beta1
: Deployment
data:
me: nginx-inject-demo
:
mplate:
metadata:
annotations:
iam.cloud.google.com/service-account: foo
labels:
app: nginx
spec:
containers:
- name: web
image: nginx
Save this to nginx.yaml
and run:
ctl apply -f nginx.yaml
oyment "nginx-inject-demo" created
Query the pods, verify the pod has started:
ctl get pods
x-inject-demo-6577b68687-2lvj8 1/1 Running 0 25s
Query the pod object and note that:
GOOGLE_APPLICATION_CREDENTIALS
environment variable is created to point
to the GCP Service Account credentials file:ctl get pods -l app=nginx -o=yaml
iVersion: v1
nd: Pod
tadata:
name: nginx-inject-demo-6577b68687-2lvj8
namespace: default
annotations:
iam.cloud.google.com/service-account: foo
labels:
app: nginx
...
...
ec:
containers:
- name: web
image: nginx
volumes:
- name: gcp-foo
secret:
secretName: foo
defaultMode: 420
# (... + default volumes)
volumeMounts:
- mountPath: /var/run/secrets/gcp/foo
name: gcp-foo
readOnly: true
# (... + default volumeMounts)
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/secrets/gcp/foo/key.json
# ...
# ...
See CONTRIBUTING.md for more information.
This is not an official Google product.