Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for GKE (k8s) Workload Identity Federation #199

Open
thomasveale opened this issue Apr 20, 2022 · 3 comments
Open

Support for GKE (k8s) Workload Identity Federation #199

thomasveale opened this issue Apr 20, 2022 · 3 comments
Labels
enhancement help wanted

Comments

@thomasveale
Copy link

Feature

Hey Devs! Great project, thanks for your hard work and continued maintenance.

Following the sidecar pattern, we aim to forward logs to Google StackDriver through the zipkin docker container. The issue is, we're not mounting our service account key directly, instead we use (workload identity federation)[https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity] to inject a short lived service account token directly into the docker image. Using identity federation, your workload can impersonate a service account. This lets the external workload access Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys. This is the recommended solution for authenticating with google services from GKE.

The token is mounted at /var/run/secrets/kubernetes.io/serviceaccount/token and if we specify point the GOOGLE_APPLICATION_CREDENTIALS to this path, we encounter a decoding error because the token is a base64 encoded Json Web Token.

A work around would be to run some PostStart script to decode the token and remount it somewhere else for Zipkin to use or zipkin-gcp should support workload identity. This is a messy, and unstable solution because there is no guarantee that script will execute before the entry point to zipkin.

It would be great if zipkin-gcp would support workload identity out of the box (i.e. if no GOOGLE_APPLICATION_CREDENTIALS is provided or if a specific flag/environment variable was set).

Rationale

Handling and mounting additional key material is dangerous. As workload identity is the recommended authentication mechanism for GKE (Kubernetes), this would likely be helpful to many others. Using workload identity federation, applications can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure, or any identity provider that supports OpenID Connect (OIDC).

Example Scenario

Zero configuration startup, the google cloud project and token could be extracted by default.
A flag could be set like GKE_WORKLOAD_IDENTITY=true to enable automatic configuration.

Prior Art

https://github.com/googleapis/google-auth-library-java
https://googleapis.dev/python/google-auth/latest/user-guide.html
@jcchavezs
Copy link
Contributor

Thanks for this. Zipkin is a voluneteering project so if you can come up with a PR for this we could review it.

@thomasveale
Copy link
Author

Thanks for getting back to this and apologies for not reading that!

Sadly my java is quite weak. Working on improving that so I may be able to come back with something!

@codefromthecrypt
Copy link
Member

@thomasveale please ping back if still interested in this, as I know it has been a while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@codefromthecrypt @devinsba @jcchavezs @thomasveale