wi-analyzer

GKE Workload Identity Analyzer

Project description

GKE Workload Identity Analyzer

This script takes a Pod name (running in the current context) and performs checks to ensure that Workload Identity is properly configured.

Performed checks

Workload Identity enabled on the GKE cluster
Pod has .spec.serviceAccountName configured
KSA (configured in previous step) exists
KSA is annotated correctly with a GSA
GSA (configured in previous step) exists in the project
KSA has roles/iam.workloadIdentityUser on the GSA
GSA IAM roles in the project

Prerequisites

gcloud cli installed and configured
Application Default Credentials generated using gcloud
kubectl installed and configured with cluster access
current kubectl context pointing to the relevant cluster
python 3 and pip installed
if running from source, python requirements installed: pip install -r requirements.txt

Installation

This package is published to PyPI and can be installed using pip:

pip install wi-analyzer

Necessary project access

The script can be run by a user with the Viewer role in the project.

Alternatively, the user will need enough GKE cluster access to read Pods and ServiceAccounts, plus the following IAM permissions:

container.clusters.get
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
resourcemanager.projects.getIamPolicy

If the GSA is in a different GCP project than the GKE cluster, you'll need the last 3 permissions on that project instead.

Using the tool

$ wi-analyzer --help
usage: wi-analyzer [-h] [-n NAMESPACE] [-d] pod

GKE Workload Identity Analyzer

positional arguments:
  pod                   Kubernetes Pod name to check

options:
  -h, --help            show this help message and exit
  -n NAMESPACE, --namespace NAMESPACE
                        Kubernetes Namespace to run in
  -p PROJECT, --project PROJECT
                        GCP Project holding the cluster
  -l LOCATION, --location LOCATION
                        The GCP location of the cluster
  -c CLUSTER, --cluster CLUSTER
                        The name of the cluster
  -d, --debug           Enable debug logging

Configure your current context to point at the cluster where the workload is running. Either configure the relevant namespace for the current context or pass the namespace name using the -n flag.

Pass a pod name to check - it can be part of a Deployment, Job, StatefulSet, etc, but it has to be running already.

TODO

Support Fleet Workload Identity (GKE WI for Anthos)

Project details

Release history Release notifications | RSS feed

This version

0.1.3

Feb 16, 2023

0.1.2

Sep 26, 2022

0.1.1

Sep 16, 2022

0.1.0

Sep 16, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wi-analyzer-0.1.3.tar.gz (10.6 kB view hashes)

Uploaded Feb 16, 2023 Source

Built Distribution

wi_analyzer-0.1.3-py3-none-any.whl (8.5 kB view hashes)

Uploaded Feb 16, 2023 Python 3

Hashes for wi-analyzer-0.1.3.tar.gz

Hashes for wi-analyzer-0.1.3.tar.gz
Algorithm	Hash digest
SHA256	`14b82a539a9b9fcefd875c6b96f5c2b2693d8f219a8f05feb8176e87346a3fa4`
MD5	`05f97aba81c4ff41d8a43fd426d567f7`
BLAKE2b-256	`f508bfa018b03095e7ba1c489cf346a7e1121275d5b81df164b1ac75821aa02c`

Hashes for wi_analyzer-0.1.3-py3-none-any.whl

Hashes for wi_analyzer-0.1.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`084bec9ff140b2b632bad0c60ee4640fbb4ad101a1091601465da618ad058927`
MD5	`ba70ce56ea2440804c05b476e3b201b2`
BLAKE2b-256	`0c22f2743c3bbc862662807c17dc46a2d0f2cb21b992221a2e8d5590b4a29049`