-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Workload Identity to GCP Output #235
Conversation
7c73e4c
to
c04feac
Compare
…cates workloadidentity Signed-off-by: Chris Carty <[email protected]>
c04feac
to
355ddd8
Compare
Hello @cartyc, I didn't find out time to review your PR, sorry. As I don't know GCP, I need some time to review. |
No worries @Issif , not a rush :) Let me know if I can help in anyway. Hope your having a good KubeCon! |
@cartyc Hello, our new maintainer @developer-guy knows GCP, he will review this PR for us. |
sorry my delay, i will review this as well shortly |
Signed-off-by: Chris Carty <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it looks good to me thanks som much for this!
/lgtm
LGTM label has been added. Git tree hash: 8add2c89eb89da089a80e158d16a21f73ab21f60
|
Great work @cartyc, I'm also planning to use that kind of authentication process while integrating CloudFunctions output type for Falcosidekick, then maybe we can add Cloud Run output type for it too, wdyt @cartyc ? Btw, I completed the CloudFunction support, I'm going to open a PR soon, maybe you might want to review it later 🙏👌 |
Happy to help out @developer-guy !! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cpanato, Issif The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area outputs
What this PR does / why we need it:
This is a small PR to enable the usage of workload identity for GCP pubsub. If no GCP credentials are passed in but the Topic and Project fields are populated it will now assume WorkloadIdentity is the intended option. I am not sure if having a flag open for "enabling" this would be better as it is more explicit but would not actually enable it.
The goal is to remove the need to pass in a GCP credentials file to Falcosidekick and help prevent the need to download and manage service accounts.
To test workloadidentity first create a GCP cluster with workloadidentity enabled
Install Falco w/ falcosidekick
Create your SA and Rolebindings
Finally set up the Falcosidekick SA to impersonate a GCP SA
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: