gcp-serviceaccount-controller

command module

v0.0.0-...-977be8d Latest Latest Go to latest Published: Oct 30, 2020 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kiwigrid/gcp-serviceaccount-controller

Links

Open Source Insights

README ¶

Gcp Service Account Controller

this controller manges gcp service account over kubernetes resources.

The Helm chart can be found in the Kiwigrid helm repo. Add it via:

helm repo add kiwigrid https://kiwigrid.github.io

The Helm charts source can be found at:

https://github.com/kiwigrid/helm-charts/tree/master/charts/gcp-serviceaccount-controller

Features

creates gcp service accounts and creates secrets from the service account keyfile
handles the full lifecycle of a service account via CRD
keyfiles are only exists inside kubernetes and not saved outside
with version 0.2.0 you can restrict enabled roles per namespace via regular expressions (this feature is enabled by default; can be disabled with DISABLE_RESTRICTION_CHECK)

Deployment

First you need to create a GCP service account with at least the following permissions:

- iam.serviceAccounts.create
- iam.serviceAccounts.delete
- iam.serviceAccounts.get
- iam.serviceAccounts.list
- iam.serviceAccounts.update
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.delete
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- pubsub.subscriptions.getIamPolicy
- pubsub.subscriptions.setIamPolicy
- pubsub.topics.getIamPolicy
- pubsub.topics.setIamPolicy
- storage.buckets.getIamPolicy
- storage.buckets.setIamPolicy
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy

You can use the helm chart to deploy Then add the base64 encoded file to the gcpCredentials value.

helm upgrade -i -f <YOUR_VALUES_FILE> <RELEASE_NAME> helm/

Example

This is an example resource definition for a service account:

apiVersion: gcp.kiwigrid.com/v1beta1
kind: GcpServiceAccount
metadata:
  name: gcpserviceaccount-sample
spec:
  serviceAccountIdentifier: kube-example
  serviceAccountDescription: kube-example
  secretName: kube-example-secret
  bindings:
  - resource: "//cloudresourcemanager.googleapis.com/projects/<PROJECT_NAME>"
    roles:
    - "roles/cloudsql.editor"

Example for buckets:

apiVersion: gcp.kiwigrid.com/v1beta1
kind: GcpServiceAccount
metadata:
  name: gcpserviceaccount-bucket-sample
spec:
  serviceAccountIdentifier: kube-bucket-example
  serviceAccountDescription: kube-bucket-example
  secretName: kube-bucket-example-secret
  bindings:
  - resource: buckets/my-bucket-name
    roles:
    - roles/storage.objectAdmin

Example for namespace restriction:

apiVersion: gcp.kiwigrid.com/v1beta1
kind: GcpNamespaceRestriction
metadata:
  labels:
  name: gcpnamespacerestriction-sample
spec:
  namespace: test
  regex: true
  restrictions:
  - resource: "^buckets/my-bucket-name$"
    roles:
    - "^roles/storage\.objectAdmin$"
  - resource: "^pubsub/.*$"
    roles:
    - "^roles/.*$"

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1beta1 Package v1beta1 contains API Schema definitions for the gcp v1beta1 API group +kubebuilder:object:generate=true +groupName=gcp.kiwigrid.com	Package v1beta1 contains API Schema definitions for the gcp v1beta1 API group +kubebuilder:object:generate=true +groupName=gcp.kiwigrid.com
controllers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL