GCP IAM docs & tutorials (#209)

Co-authored-by: Amit Lichtenberg <[email protected]> Co-authored-by: Tomer Greenwald <[email protected]> Co-authored-by: Amit Lichtenberg <[email protected]> Co-authored-by: Ori Shoshan <[email protected]>
otterize · Mar 14, 2024 · b7504b2 · b7504b2
1 parent be5a8fb
commit b7504b2
Show file tree

Hide file tree

Showing 12 changed files with 489 additions and 8 deletions.
diff --git a/docs/features/aws-iam/reference.mdx b/docs/features/aws-iam/reference.mdx
@@ -33,7 +33,7 @@ spec:
 
 | Key                                                        | Description                                                                                                                                                                                  | Default  |
 |------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| `credentials-operator.otterize.com/create-aws-role` | By setting to **true** the credential operator will create an unique AWS Role for the associated pod | `false` |
+| `credentials-operator.otterize.com/create-aws-role` | When set to **true**, the credential operator will create an unique AWS Role for the associated pod | `false` |
 
 
 ### Helm Chart options

diff --git a/docs/features/azure-iam/index.mdx b/docs/features/azure-iam/index.mdx
@@ -18,12 +18,6 @@ export const tutorials = [
 
 # Azure IAM
 
-:::info
-Azure IAM support is currently a part of our early access program.
-Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch!
-:::
-
-
 Otterize can create just-in-time Azure IAM workload identities & role assignments for your workloads running on AKS Kubernetes clusters, greatly simplifying the lifecycle of managing Azure IAM identities and roles.
 
 ### Tutorials

diff --git a/docs/features/azure-iam/reference.mdx b/docs/features/azure-iam/reference.mdx
@@ -27,7 +27,7 @@ spec:
 
 | Key                                                        | Description                                                                                                                                                                                  | Default  |
 |------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| `credentials-operator.otterize.com/create-azure-workload-identity` | By setting to **true** the credential operator will create an Azure workload identity the associated pod | `false` |
+| `credentials-operator.otterize.com/create-azure-workload-identity` | When set to **true**, the credential operator will create an Azure workload identity the associated pod | `false` |
 
 
 ### Helm Chart options

diff --git a/docs/features/gcp-iam/_category_.json b/docs/features/gcp-iam/_category_.json
@@ -0,0 +1,8 @@
+{
+  "label": "GCP IAM",
+  "position": 2,
+  "collapsed": true,
+  "customProps": {
+    "image": "/img/icons/gcp.png"
+  }
+}
diff --git a/docs/features/gcp-iam/index.mdx b/docs/features/gcp-iam/index.mdx
@@ -0,0 +1,64 @@
+---
+sidebar_position: 1
+title: GCP IAM | Overview
+hide_table_of_contents: true
+hide_title: true
+---
+
+import DocsLinkCard from "@site/src/components/LinkCard";
+
+export const tutorials = [
+    {
+        title: 'Automate GCP IAM for GKE',
+        description: 'Create just-in-time GCP IAM roles and policies that are kept in sync with your workloads',
+        url: '/features/gcp-iam/tutorials/gcp-iam-gke'
+    },
+];
+
+
+# GCP IAM
+
+Otterize can create just-in-time GCP IAM workload identities & role assignments for your workloads running on GKE Kubernetes clusters, greatly simplifying the lifecycle of managing GCP IAM identities and roles.
+
+### Tutorials
+
+To learn how to use the Intents Operator and Credentials Operator to manage just-in-time GCP IAM access, check out the tutorial.
+<DocsLinkCard items={tutorials} colSize={"sm"}/>
+
+
+### How does Otterize work with GCP IAM?
+
+1. First, the GKE cluster must have:
+   - Enabled [workload identity federation for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+   - [Config Connector Installed](https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall)
+   - [Otterize installed](/overview/installation).
+2. To have a role created for a pod, label the pod with `credentials-operator.otterize.com/create-gcp-sa: "true"`
+3. The credentials operator will:
+   - Annotate the pod ServiceAccount and Namespace with the relevant workload identity and Otterize labels.
+   - Create a GCP ServiceAccount and bind it to the pod ServiceAccount.
+4. At this point, the pod is connected to your GCP project through the newly created GCP ServiceAccount but does not have any permissions to perform any action. We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. Below is an example of a ClientIntents file for accessing a GCS bucket. View the [reference](/features/gcp-iam/reference) to learn more about the GCP IAM ClientIntents syntax.
+5. Once the intent is applied, the intents operator will create a new GCP IAM policy, which will be attached to the service’s role with the appropriate access.
+6. Done!
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: server
+  namespace: my-namespace
+spec:
+  service:
+    name: server
+  calls:
+    - name: projects/_/buckets/otterize-demo-bucket*
+      type: gcp
+      gcpPermissions:
+        - "storage.admin"
+```
+
+### Automatically generating ClientIntents for GCP IAM
+
+Figuring out which access you need for GCP can be a painful, trial and error process, and something you _must_ do if you're tightening production access.
+
+Otterize is getting ready to release support for using existing traffic to generate least-privilege IAM policies. Keen to try this out as part of early access? Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch!
+
diff --git a/docs/features/gcp-iam/reference.mdx b/docs/features/gcp-iam/reference.mdx
@@ -0,0 +1,49 @@
+---
+sidebar_position: 3
+title: Reference
+---
+
+### ClientIntents example (YAML)
+
+```yaml
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: server
+spec:
+  service:
+    # The name of the pod that will be granted access
+    name: server
+  calls:
+      # The GCP resource name as defined in the linked documentation below
+      # Wildcards can be used in the end of the resource name to match multiple and nested resources
+    - name: projects/_/buckets/otterize-demo-bucket*
+      type: gcp
+      # one or more GCP Roles that will be provided to the specified resources
+      gcpPermissions:
+        - "storage.admin"
+      # Multiple call definitions can be defined for a single service.
+	- name: projects/_/buckets/otterize-read-only-bucket*
+      type: gcp
+      gcpPermissions:
+        - "storage.objectViewer"
+```
+
+### GCP documentation references
+   - For GCP resource names, refer to the [Resource Name Format](https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name) documentation.
+   - For GCP roles and permissions, refer to the [Predefined roles and permissions](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) documentation.
+
+### Annotations
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `credentials-operator.otterize.com/create-gcp-sa` | When set to **true**, the credential operator will create a unique GCP service account for the K8S ServiceAccount of the associated pod | `false` |
+
+
+### Helm Chart options
+
+| Key                                                        | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `global.gcp.enabled`                                       | Enable or disable GCP integration                                                                                                                                                            | `false`  |
+
+View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options
diff --git a/docs/features/gcp-iam/tutorials/_category_.json b/docs/features/gcp-iam/tutorials/_category_.json
@@ -0,0 +1,5 @@
+{
+  "label": "Tutorials",
+  "position": 2,
+  "collapsed": false
+}