-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: Amit Lichtenberg <[email protected]> Co-authored-by: Tomer Greenwald <[email protected]> Co-authored-by: Amit Lichtenberg <[email protected]> Co-authored-by: Ori Shoshan <[email protected]>
- Loading branch information
1 parent
be5a8fb
commit b7504b2
Showing
12 changed files
with
489 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
"label": "GCP IAM", | ||
"position": 2, | ||
"collapsed": true, | ||
"customProps": { | ||
"image": "/img/icons/gcp.png" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
sidebar_position: 1 | ||
title: GCP IAM | Overview | ||
hide_table_of_contents: true | ||
hide_title: true | ||
--- | ||
|
||
import DocsLinkCard from "@site/src/components/LinkCard"; | ||
|
||
export const tutorials = [ | ||
{ | ||
title: 'Automate GCP IAM for GKE', | ||
description: 'Create just-in-time GCP IAM roles and policies that are kept in sync with your workloads', | ||
url: '/features/gcp-iam/tutorials/gcp-iam-gke' | ||
}, | ||
]; | ||
|
||
|
||
# GCP IAM | ||
|
||
Otterize can create just-in-time GCP IAM workload identities & role assignments for your workloads running on GKE Kubernetes clusters, greatly simplifying the lifecycle of managing GCP IAM identities and roles. | ||
|
||
### Tutorials | ||
|
||
To learn how to use the Intents Operator and Credentials Operator to manage just-in-time GCP IAM access, check out the tutorial. | ||
<DocsLinkCard items={tutorials} colSize={"sm"}/> | ||
|
||
|
||
### How does Otterize work with GCP IAM? | ||
|
||
1. First, the GKE cluster must have: | ||
- Enabled [workload identity federation for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) | ||
- [Config Connector Installed](https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall) | ||
- [Otterize installed](/overview/installation). | ||
2. To have a role created for a pod, label the pod with `credentials-operator.otterize.com/create-gcp-sa: "true"` | ||
3. The credentials operator will: | ||
- Annotate the pod ServiceAccount and Namespace with the relevant workload identity and Otterize labels. | ||
- Create a GCP ServiceAccount and bind it to the pod ServiceAccount. | ||
4. At this point, the pod is connected to your GCP project through the newly created GCP ServiceAccount but does not have any permissions to perform any action. We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. Below is an example of a ClientIntents file for accessing a GCS bucket. View the [reference](/features/gcp-iam/reference) to learn more about the GCP IAM ClientIntents syntax. | ||
5. Once the intent is applied, the intents operator will create a new GCP IAM policy, which will be attached to the service’s role with the appropriate access. | ||
6. Done! | ||
|
||
```yaml | ||
apiVersion: k8s.otterize.com/v1alpha3 | ||
kind: ClientIntents | ||
metadata: | ||
name: server | ||
namespace: my-namespace | ||
spec: | ||
service: | ||
name: server | ||
calls: | ||
- name: projects/_/buckets/otterize-demo-bucket* | ||
type: gcp | ||
gcpPermissions: | ||
- "storage.admin" | ||
``` | ||
|
||
### Automatically generating ClientIntents for GCP IAM | ||
|
||
Figuring out which access you need for GCP can be a painful, trial and error process, and something you _must_ do if you're tightening production access. | ||
|
||
Otterize is getting ready to release support for using existing traffic to generate least-privilege IAM policies. Keen to try this out as part of early access? Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
sidebar_position: 3 | ||
title: Reference | ||
--- | ||
|
||
### ClientIntents example (YAML) | ||
|
||
```yaml | ||
apiVersion: k8s.otterize.com/v1alpha3 | ||
kind: ClientIntents | ||
metadata: | ||
name: server | ||
spec: | ||
service: | ||
# The name of the pod that will be granted access | ||
name: server | ||
calls: | ||
# The GCP resource name as defined in the linked documentation below | ||
# Wildcards can be used in the end of the resource name to match multiple and nested resources | ||
- name: projects/_/buckets/otterize-demo-bucket* | ||
type: gcp | ||
# one or more GCP Roles that will be provided to the specified resources | ||
gcpPermissions: | ||
- "storage.admin" | ||
# Multiple call definitions can be defined for a single service. | ||
- name: projects/_/buckets/otterize-read-only-bucket* | ||
type: gcp | ||
gcpPermissions: | ||
- "storage.objectViewer" | ||
``` | ||
|
||
### GCP documentation references | ||
- For GCP resource names, refer to the [Resource Name Format](https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name) documentation. | ||
- For GCP roles and permissions, refer to the [Predefined roles and permissions](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) documentation. | ||
|
||
### Annotations | ||
|
||
| Key | Description | Default | | ||
|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | ||
| `credentials-operator.otterize.com/create-gcp-sa` | When set to **true**, the credential operator will create a unique GCP service account for the K8S ServiceAccount of the associated pod | `false` | | ||
|
||
|
||
### Helm Chart options | ||
|
||
| Key | Description | Default | | ||
|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | ||
| `global.gcp.enabled` | Enable or disable GCP integration | `false` | | ||
|
||
View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"label": "Tutorials", | ||
"position": 2, | ||
"collapsed": false | ||
} |
Oops, something went wrong.