doitintl / gtoken Goto Github PK
View Code? Open in Web Editor NEWSecurely access AWS services from GKE cluster
License: Apache License 2.0
Securely access AWS services from GKE cluster
License: Apache License 2.0
Hey !
I would like use gtoken in cronjob.
It's work but po doesn't finish.
It still stay with "status: Not Ready" because after po execution, update-gcp-id-token restart :
Normal Started 3m26s kubelet Started container check-certif
Normal Pulling 3m26s kubelet Pulling image "doitintl/gtoken:latest"
Normal Pulled 3m26s kubelet Successfully pulled image "doitintl/gtoken:latest" in 248.821135ms (248.835925ms including waiting)
Normal Created 3m26s kubelet Created container update-gcp-id-token
Normal Started 3m26s kubelet Started container update-gcp-id-token
I can't stop "update-gcp-id-token" for cronjob please ?
Thanks !
Hi.
The variable $GSA_SA came up in AWS: Create AWS IAM Role with Google OIDC Web Identity.
Where is this defined?
Thank you.
The following warnings were issues with recent deployment attempt
./deployment/webhook-create-signed-cert.sh:
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
kubectl create -f deployment/mutatingwebhook-bundle.yaml
Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
Please see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
At least kube-system ns should be excluded
kubectl run is deprecated and --serviceaccout does not work
I've deployed gtoken as mentioned in read me. But I couldn't achieve to access aws resource. Actually, webhook doesn't run properly. I couldn't see any log in webhook pod. there is only following logs
time="2023-03-24T09:26:19Z" level=info msg="listening on https://:8443"
when I tried aws command in test pod I saw the following error.
Unable to locate credentials. You can configure credentials by running "aws configure".
Also, I couldn't see any environment variables related with AWS in test pod after creation. I expect webhook adds some aws related variables after pod creation.
Hey I notice we use KSA_NAMESPACE parameter in README just one time, then we proceed using K8S_NAMESPACE nomenclature, so I guess it is a typo?
Anyway, I can't PR to it, just reporting what I found while following the tutorial.
BTW, great tool :)
I create a pod with below config:
############
############
apiVersion: v1
kind: Pod
metadata:
name: test-job
spec:
serviceAccountName: saname
restartPolicy: Never
containers:
- name: test-pod
image: ubuntu
command:
- /bin/sleep
- "10"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
############
CMD: kubectl -f testpod.yaml
After the sleep command finished, it does not terminated,
CMD: kubectl get pod
test-job 1/2 Running 0 5m26s
CMD: kubectl describe pod test-job
.
.
Containers:
test-pod:
Container ID: docker://d6a95538e748e9585af2e11f62d2f9f65bc7a7c5cb01d01357985cb0e7fd56f3
Image: ubuntu
Image ID: docker-pullable://ubuntu@sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c
Port:
Host Port:
Command:
/bin/sleep
10
State: Terminated
Reason: Completed
Exit Code: 0
Started: Tue, 15 Dec 2020 11:18:59 +0800
Finished: Tue, 15 Dec 2020 11:19:09 +0800
Ready: False
Restart Count: 0
.
.
.
update-gcp-id-token:
Container ID: docker://88ec093929b3c648b032448d17de5f46fb6be9bdcc5e78247acac1a16cf9dcbc
Image: doitintl/gtoken:latest
Image ID: docker-pullable://doitintl/gtoken@sha256:cb9647b375f579e378e957ed80dfa6259667987cf87835b10b125dc5b175b31d
Port:
Host Port:
Command:
/gtoken
--file=/var/run/secrets/aws/token/gtoken
--refresh=true
State: Running
Started: Tue, 15 Dec 2020 11:19:00 +0800
Ready: True
Restart Count: 0
#########
It seems like the update-gcp-id-token does not terminated.
Is it possible to terminate update-gcp-id-token after test-pod fininshed?
Thank you!
it looks like the #8 was removed from the source code causing crashes
Hi,
Your gtoken
approach works like a charm for access to S3. But I was wondering if you have tried/confirmed it with other AWS services, for example ECR to pull images?
Kind regards,
Eric Van Steenbergen
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.