README
¶
SIA for GCP GKE
Configuration
SIA GKE requires a configuration file to be present in the /etc/sia/sia_config with the following required attributes:
{
"version": "1.0.0",
"domain": "application-domain-name",
"service": "application-service-name"
}
The Google Project administrator must create a Google Service Account with the name
<application-service-name>
and this Service Account must allow the Kubernetes Service Account to impersonate
using workloadIdentityUser role, which will be used by the application.
SIA Configuration file provides a way to change the default user/group settings that the private key is owned by.
By default, the private key is owned by user root
and readable by group athenz
. If the admin wants to
provide access to their service identity private key to another user, it can be accomplished by adding the user to the group athenz
.
If the user wants to change the user and group values, a config file must contain following optional fields:
{
"version": "1.0.0",
"domain": "application-domain-name",
"service": "application-service-name",
"user": "unix-username",
"group": "unix-groupname"
}
SIA-GKE can be built with following parameters - e.g.
GOOS=linux go install -ldflags "-X main.Version=1.0.0 -X main.ZtsEndPoint=zts.athenz.io -X main.DnsDomain=gcp.athenz.cloud -X main.ProviderPrefix=athenz.gcp" ./...
alternatively, those parameters can be passed during runtime and runtime parameters will take precedence over build time parameters.
Documentation
¶
Index ¶
- func GetGKEAccessProfile(configFile, metaEndpoint string, provider provider.Provider) (*options.AccessProfileConfig, error)
- func GetGKEConfig(configFile, profileConfigFile, metaEndpoint, region string, ...) (*options.Config, *options.AccessProfileConfig, error)
- func GetGKEPodId() string
- type GKEProvider
- func (gke GKEProvider) AttestationData(_ string, _ crypto.PrivateKey, _ *signature.SignatureInfo) (string, error)
- func (gke GKEProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)
- func (gke GKEProvider) GetAccessManagementProfileFromMeta(base string) (string, error)
- func (gke GKEProvider) GetAccountDomainServiceFromMeta(base string) (string, string, string, error)
- func (gke GKEProvider) GetAdditionalSshHostPrincipals(_ string) (string, error)
- func (gke GKEProvider) GetCsrDn() pkix.Name
- func (gke GKEProvider) GetEmail(_ string) []string
- func (gke GKEProvider) GetHostname(fqdn bool) string
- func (gke GKEProvider) GetName() string
- func (gke GKEProvider) GetRoleDnsNames(_ *x509.Certificate, _ string) []string
- func (gke GKEProvider) GetSanDns(_ string, _ bool, _ bool, _ []string) []string
- func (gke GKEProvider) GetSanIp(_ map[string]bool, _ []net.IP, _ ip.Opts) []net.IP
- func (gke GKEProvider) GetSanUri(_ string, _ ip.Opts, _, _ string) []*url.URL
- func (gke GKEProvider) GetSuffixes() []string
- func (gke GKEProvider) PrepareKey(_ string) (crypto.PrivateKey, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetGKEAccessProfile ¶
func GetGKEConfig ¶
func GetGKEPodId ¶
func GetGKEPodId() string
Types ¶
type GKEProvider ¶
type GKEProvider struct {
Name string
}
func (GKEProvider) AttestationData ¶
func (gke GKEProvider) AttestationData(_ string, _ crypto.PrivateKey, _ *signature.SignatureInfo) (string, error)
func (GKEProvider) CloudAttestationData ¶
func (gke GKEProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)
func (GKEProvider) GetAccessManagementProfileFromMeta ¶
func (gke GKEProvider) GetAccessManagementProfileFromMeta(base string) (string, error)
func (GKEProvider) GetAccountDomainServiceFromMeta ¶
func (GKEProvider) GetAdditionalSshHostPrincipals ¶ added in v1.11.31
func (gke GKEProvider) GetAdditionalSshHostPrincipals(_ string) (string, error)
func (GKEProvider) GetCsrDn ¶
func (gke GKEProvider) GetCsrDn() pkix.Name
func (GKEProvider) GetEmail ¶
func (gke GKEProvider) GetEmail(_ string) []string
func (GKEProvider) GetHostname ¶
func (gke GKEProvider) GetHostname(fqdn bool) string
GetHostname returns the hostname as per the provider
func (GKEProvider) GetName ¶
func (gke GKEProvider) GetName() string
GetName returns the name of the current provider
func (GKEProvider) GetRoleDnsNames ¶
func (gke GKEProvider) GetRoleDnsNames(_ *x509.Certificate, _ string) []string
func (GKEProvider) GetSuffixes ¶ added in v1.11.54
func (gke GKEProvider) GetSuffixes() []string
func (GKEProvider) PrepareKey ¶
func (gke GKEProvider) PrepareKey(_ string) (crypto.PrivateKey, error)