GKE Workload Identity Analyzer
Project description
GKE Workload Identity Analyzer
This script takes a Pod name (running in the current context) and performs checks to ensure that Workload Identity is properly configured.
Performed checks
- Workload Identity enabled on the GKE cluster
- Pod has
.spec.serviceAccountNameconfigured - KSA (configured in previous step) exists
- KSA is annotated correctly with a GSA
- GSA (configured in previous step) exists in the project
- KSA has
roles/iam.workloadIdentityUseron the GSA - GSA IAM roles in the project
Prerequisites
gcloudcli installed and configured- Application Default Credentials generated using gcloud
kubectlinstalled and configured with cluster access- current kubectl context pointing to the relevant cluster
- python 3 and pip installed
- if running from source, python requirements installed:
pip install -r requirements.txt
Installation
This package is published to PyPI and can be installed using pip:
pip install wi-analyzer
Necessary project access
The script can be run by a user with the Viewer role in the project.
Alternatively, the user will need enough GKE cluster access to read Pods and ServiceAccounts, plus the following IAM permissions:
- container.clusters.get
- iam.serviceAccounts.get
- iam.serviceAccounts.getIamPolicy
- resourcemanager.projects.getIamPolicy
If the GSA is in a different GCP project than the GKE cluster, you'll need the last 3 permissions on that project instead.
Using the tool
$ wi-analyzer --help
usage: wi-analyzer [-h] [-n NAMESPACE] [-d] pod
GKE Workload Identity Analyzer
positional arguments:
pod Kubernetes Pod name to check
options:
-h, --help show this help message and exit
-n NAMESPACE, --namespace NAMESPACE
Kubernetes Namespace to run in
-p PROJECT, --project PROJECT
GCP Project holding the cluster
-l LOCATION, --location LOCATION
The GCP location of the cluster
-c CLUSTER, --cluster CLUSTER
The name of the cluster
-d, --debug Enable debug logging
Configure your current context to point at the cluster where the workload is running.
Either configure the relevant namespace for the current context or pass the namespace name using the -n flag.
Pass a pod name to check - it can be part of a Deployment, Job, StatefulSet, etc, but it has to be running already.
TODO
- Support Fleet Workload Identity (GKE WI for Anthos)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file wi-analyzer-0.1.3.tar.gz.
File metadata
- Download URL: wi-analyzer-0.1.3.tar.gz
- Upload date:
- Size: 10.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
14b82a539a9b9fcefd875c6b96f5c2b2693d8f219a8f05feb8176e87346a3fa4
|
|
| MD5 |
05f97aba81c4ff41d8a43fd426d567f7
|
|
| BLAKE2b-256 |
f508bfa018b03095e7ba1c489cf346a7e1121275d5b81df164b1ac75821aa02c
|
File details
Details for the file wi_analyzer-0.1.3-py3-none-any.whl.
File metadata
- Download URL: wi_analyzer-0.1.3-py3-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
084bec9ff140b2b632bad0c60ee4640fbb4ad101a1091601465da618ad058927
|
|
| MD5 |
ba70ce56ea2440804c05b476e3b201b2
|
|
| BLAKE2b-256 |
0c22f2743c3bbc862662807c17dc46a2d0f2cb21b992221a2e8d5590b4a29049
|
