Add Workload Identity to GCP Output

[cartyc]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area config

/area outputs

/area tests

What this PR does / why we need it:

This is a small PR to enable the usage of workload identity for GCP pubsub. If no GCP credentials are passed in but the Topic and Project fields are populated it will now assume WorkloadIdentity is the intended option. I am not sure if having a flag open for "enabling" this would be better as it is more explicit but would not actually enable it.

The goal is to remove the need to pass in a GCP credentials file to Falcosidekick and help prevent the need to download and manage service accounts.

To test workloadidentity first create a GCP cluster with workloadidentity enabled

gcloud container clusters create $CLUSTER_NAME \
--workload-pool ${PROJECT_ID}.svc.id.goog

Install Falco w/ falcosidekick

helm install falco falcosecurity/falco \
--namespace $FALCO_NAMESPACE \
--set ebpf.enabled=true \
--set falcosidekick.enabled=true \
--set falcosidekick.config.gcp.pubsub.projectid=${PROJECT_ID} \
--set falcosidekick.config.gcp.pubsub.topic=${PUBSUB_TOPIC} \
--set falcosidekick.webui.enabled=true

Create your SA and Rolebindings

gcloud iam service-accounts create $SA_ACCOUNT

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/pubsub.publisher"

Finally set up the Falcosidekick SA to impersonate a GCP SA

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJECT_ID}.svc.id.goog[${FALCO_NAMESPACE}/falco-falcosidekick]" \
  ${SA_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com

kubectl annotate serviceaccount \
  --namespace $FALCO_NAMESPACE \
  falco-falcosidekick \
  iam.gke.io/gcp-service-account=${SA_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[Issif]

Hello @cartyc, I didn't find out time to review your PR, sorry.

As I don't know GCP, I need some time to review.

[cartyc]

No worries @Issif , not a rush :) Let me know if I can help in anyway. Hope your having a good KubeCon!

[Issif]

@cartyc Hello, our new maintainer @developer-guy knows GCP, he will review this PR for us.

[cpanato]

sorry my delay, i will review this as well shortly

[cpanato]

it looks good to me thanks som much for this!

/lgtm

[poiana]

LGTM label has been added.

Git tree hash: 8add2c89eb89da089a80e158d16a21f73ab21f60

[developer-guy]

Great work @cartyc, I'm also planning to use that kind of authentication process while integrating CloudFunctions output type for Falcosidekick, then maybe we can add Cloud Run output type for it too, wdyt @cartyc ? Btw, I completed the CloudFunction support, I'm going to open a PR soon, maybe you might want to review it later 🙏👌

[cartyc]

Happy to help out @developer-guy !!

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, Issif

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Issif,cpanato]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment