Skip to content

kiwigrid/gcp-serviceaccount-controller

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.github
.github
 
 
api/v1beta1
api/v1beta1
 
 
config
config
 
 
controllers
controllers
 
 
hack
hack
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
PROJECT
PROJECT
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Gcp Service Account Controller

CI build and Deploy

this controller manges gcp service account over kubernetes resources.

The Helm chart can be found in the Kiwigrid helm repo. Add it via:

helm repo add kiwigrid https://kiwigrid.github.io

The Helm charts source can be found at:

https://github.com/kiwigrid/helm-charts/tree/master/charts/gcp-serviceaccount-controller

Features

  • creates gcp service accounts and creates secrets from the service account keyfile
  • handles the full lifecycle of a service account via CRD
  • keyfiles are only exists inside kubernetes and not saved outside
  • with version 0.2.0 you can restrict enabled roles per namespace via regular expressions (this feature is enabled by default; can be disabled with DISABLE_RESTRICTION_CHECK)

Deployment

First you need to create a GCP service account with at least the following permissions:

- iam.serviceAccounts.create - iam.serviceAccounts.delete - iam.serviceAccounts.get - iam.serviceAccounts.list - iam.serviceAccounts.update - iam.serviceAccountKeys.create - iam.serviceAccountKeys.delete - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list - pubsub.subscriptions.getIamPolicy - pubsub.subscriptions.setIamPolicy - pubsub.topics.getIamPolicy - pubsub.topics.setIamPolicy - storage.buckets.getIamPolicy - storage.buckets.setIamPolicy - resourcemanager.projects.getIamPolicy - resourcemanager.projects.setIamPolicy

You can use the helm chart to deploy Then add the base64 encoded file to the gcpCredentials value.

helm upgrade -i -f <YOUR_VALUES_FILE> <RELEASE_NAME> helm/

Example

This is an example resource definition for a service account:

apiVersion: gcp.kiwigrid.com/v1beta1 kind: GcpServiceAccount metadata: name: gcpserviceaccount-sample spec: serviceAccountIdentifier: kube-example serviceAccountDescription: kube-example secretName: kube-example-secret bindings: - resource: "//cloudresourcemanager.googleapis.com/projects/<PROJECT_NAME>" roles: - "roles/cloudsql.editor"

Example for buckets:

apiVersion: gcp.kiwigrid.com/v1beta1 kind: GcpServiceAccount metadata: name: gcpserviceaccount-bucket-sample spec: serviceAccountIdentifier: kube-bucket-example serviceAccountDescription: kube-bucket-example secretName: kube-bucket-example-secret bindings: - resource: buckets/my-bucket-name roles: - roles/storage.objectAdmin

Example for namespace restriction:

apiVersion: gcp.kiwigrid.com/v1beta1 kind: GcpNamespaceRestriction metadata: labels: name: gcpnamespacerestriction-sample spec: namespace: test regex: true restrictions: - resource: "^buckets/my-bucket-name$" roles: - "^roles/storage\.objectAdmin$" - resource: "^pubsub/.*$" roles: - "^roles/.*$"

About

This is a controller to automatically create gcp service accounts an save them into kubernetes secrets

Topics

go kubernetes gcp crd crd-controller serviceaccount

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

16 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

7 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages