Gke Autopilot workload identity

anonymous · November 11, 2021, 4:27am

Hi folks!

Have a question about workload identity.

Flow: internet ↔ gke Autopilot cluster - ingress (nginx) - namespace (front) - nginx router(deployment) - storage buckets(static sites). I’ve mapped k8s SA with gcp SA and grant to gcp SA storage object viewer role. When request came throughout ingress to nginx router form internet user, then nginx router routes request to bucket folder with static content, but all time I got permission denied even if I grant bucket admin role to mapped gcp SA. The question is - how to grant permission and which one for k8s SA for access to bucket with static content and deliver that content to user from internet?

anonymous · November 11, 2021, 4:59am

schema is:

abdelfettah · December 22, 2021, 12:58pm

You should grant permissions on the bucket to the gcp SA which has mapping to the k8s SA attached to the nginx router pod. traffic between the Ingress nginx and the nginx router pod is internal to kubernetes and will not require authn.

One question tough, why are you using nginx as an ingress layer ? Isn’t the built-in Ingress good for you or do you have a specific use case our Ingress doesn’t fullfil ?

Topic		Replies	Views
Access Denied (anonymous caller) error when accessing GCS bucket from GKE using Workload Identity Serverless Applications gke	4	973	May 1, 2024
Setup and Configure Workload Identity on GKE Serverless Applications gke	0	8	June 16, 2022
Credentials for GKE deployed image app? Serverless Applications gke	7	42	July 27, 2023

Gke Autopilot workload identity

AI Suggested topics