Skip to main content

GKE Workload Identity Analyzer

Project description

GKE Workload Identity Analyzer

This script takes a Pod name (running in the current context) and performs checks to ensure that Workload Identity is properly configured.

Performed checks

  • Workload Identity enabled on the GKE cluster
  • Pod has .spec.serviceAccountName configured
  • KSA (configured in previous step) exists
  • KSA is annotated correctly with a GSA
  • GSA (configured in previous step) exists in the project
  • KSA has roles/iam.workloadIdentityUser on the GSA
  • GSA IAM roles in the project

Supported Versions

Prerequisites

  • gcloud cli installed and configured
  • Application Default Credentials generated using gcloud
  • kubectl installed and configured with cluster access
  • current kubectl context pointing to the relevant cluster
  • python 3 and pip installed
  • if running from source, python requirements installed: pip install -r requirements.txt

Installation

This package is published to PyPI and can be installed using pip:

pip install wi-analyzer

Necessary project access

The script can be run by a user with the Viewer role in the project.

Alternatively, the user will need enough GKE cluster access to read Pods and ServiceAccounts, plus the following IAM permissions:

  • container.clusters.get
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • resourcemanager.projects.getIamPolicy

If the GSA is in a different GCP project than the GKE cluster, you'll need the last 3 permissions on that project instead.

Using the tool

$ wi-analyzer --help
usage: wi-analyzer [-h] [-n NAMESPACE] [-d] pod

GKE Workload Identity Analyzer

positional arguments:
  pod                   Kubernetes Pod name to check

options:
  -h, --help            show this help message and exit
  -n NAMESPACE, --namespace NAMESPACE
                        Kubernetes Namespace to run in
  -d, --debug           Enable debug logging

Configure your current context to point at the cluster where the workload is running. Either configure the relevant namespace for the current context or pass the namespace name using the -n flag.

Pass a pod name to check - it can be part of a Deployment, Job, StatefulSet, etc, but it has to be running already.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wi-analyzer-0.1.1.tar.gz (9.6 kB view details)

Uploaded Source

Built Distribution

wi_analyzer-0.1.1-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file wi-analyzer-0.1.1.tar.gz.

File metadata

  • Download URL: wi-analyzer-0.1.1.tar.gz
  • Upload date:
  • Size: 9.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.6

File hashes

Hashes for wi-analyzer-0.1.1.tar.gz
Algorithm Hash digest
SHA256 669d0e07c7a1b475d0321d8413a556c7f639e39877a5e2f4ee53d6cd10cf24c9
MD5 95d06ec1ccde21e6838f9831a5130545
BLAKE2b-256 85ee31f7c56408eb885148fa842600a5ab8ef8e8bb4b44508b232db1bb7850ff

See more details on using hashes here.

File details

Details for the file wi_analyzer-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: wi_analyzer-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 6.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.6

File hashes

Hashes for wi_analyzer-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 25be6dc1ba836a97e80ef6adbac33ce10c4d7d837422ad0e966891a72fe91556
MD5 d3a8c32e5ea6a4181d373c8ac773730a
BLAKE2b-256 4634d90cd8597581b3e2128fe4f60d0a09831ea7b483cc4ee4780459e449ef57

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page