# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Create the mapping between the GSA running the CloudRun instance and the namespace. # This must be applied after the GSA has been created and before deploying the service. # # The GSA must also be granted "roles/container.clusterViewer" - "Kubernetes Engine Viewer" - which allows listing # the clusters in the project and read-only access. # # Current recommendation is to have one GSA per namespace, named k8s-NAMESPACE - it is used to keep permissions # isolated ( namespace is the main unit of isolation in k8s) and to simplify setup. # If using another GSA naming scheme or a shared account, the workload must set "WORKLOAD_NAMESPACE" env variable. # If the 'k8s-NAMESPACE naming is used, the namespace is based on the name of the GSA. apiVersion: networking.istio.io/v1alpha3 kind: WorkloadGroup metadata: name: gsa-${PROJECT_ID} namespace: ${WORKLOAD_NAMESPACE} spec: metadata: labels: cr-google-service-account: "k8s-${WORKLOAD_NAMESPACE}.${PROJECT_ID}" annotations: security.cloud.google.com/IdentityProvider: google template: serviceAccount: k8s-${WORKLOAD_NAMESPACE}@${PROJECT_ID}.iam.gserviceaccount.com --- # This config allows a Google Service Account to impersonate a Kubernetes Service Account by # calling the 'TokenRequest' API to get audience-bound tokens equivalent with the tokens created # by secret mounts. # It also has permissions needed to get the configmaps for connecting to Istiod. # In turn, the tokens can be used to access Istio and other services using KSA. # The role is limited to the 'default' service account in the namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: ${WORKLOAD_NAMESPACE} name: gsa-${PROJECT_ID} rules: # Allows 'downscoping' - getting tokens with audience - without mounting. - apiGroups: [ "" ] resources: - "serviceaccounts/token" resourceNames: - "default" verbs: - "create" - "get" # Access to a pernamespace mesh-env. If not found, istio-system is used (mesh-env in istio-system is visible to all # authenticated users. - apiGroups: [ "" ] resources: - "configmaps" resourceNames: - "mesh-env" verbs: - "get" - apiGroups: [ "" ] resources: - "secrets" resourceNames: - "sshdebug" verbs: - "get" --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ${WORKLOAD_NAMESPACE} name: gsa-${PROJECT_ID} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gsa-${PROJECT_ID} subjects: - kind: User name: k8s-${WORKLOAD_NAMESPACE}@${PROJECT_ID}.iam.gserviceaccount.com