This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Gke Autopilot workload identity

Posted on 11-10-2021 08:27 PM
Alex
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi folks! 

Have a question about workload identity. 

Flow: internet <-> gke Autopilot cluster - ingress (nginx) - namespace (front) - nginx router(deployment) - storage buckets(static sites). I've mapped k8s SA with gcp SA and grant to gcp SA storage object viewer role. When request came throughout ingress to nginx router form internet user, then nginx router routes request to bucket folder with static content, but all time I got permission denied even if I grant bucket admin role to mapped gcp SA.  The question is - how to grant permission and which one for k8s SA for access to bucket with static content and deliver that content to user from internet?

     

0 2 483
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Alex
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

schema is:

Screen Shot 2021-11-10 at 20.58.24.png

0 Likes

Posted on --/--/---- --:-- AM
abdelfettah
Staff
Reply posted on --/--/---- --:-- AM

You should grant permissions on the bucket to the gcp SA which has mapping to the k8s SA attached to the nginx router pod. traffic between the Ingress nginx and the nginx router pod is internal to kubernetes and will not require authn. 

 

One question tough, why are you using nginx as an ingress layer ? Isn't the built-in Ingress good for you or do you have a specific use case our Ingress doesn't fullfil ?

0 Likes
Top Labels in this Space