K
Q

GKE Workload Identity service account for all namespaces

1/14/2020

I'm following the guide to setup GCP's Workload Identity and have it working for a service account configured against the default Kubernetes namespace as below:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:[PROJECT_ID].svc.id.goog[default/[KSA_NAME]]" \
  [GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com

I'm wondering if there is a way to create the binding for all k8s namespaces; something like below, where I've replaced the default namespace with *:

--member "serviceAccount:[PROJECT_ID].svc.id.goog[*/[KSA_NAME]]"

Is there any way to do this?

-- Adam
google-cloud-platform
google-iam
google-kubernetes-engine
kubernetes

Similar Questions

Install helm 2.13.0 on Minikube server (1.6.2) could not find tiller
How to pass environment variables in angular application with docker
Helm: Get value from a Map where the key is variable
istio side car is not created

1 Answer

1/15/2020

There is no way to set all namespaces to a Kubernetes Service Account(KSA). Maybe you would have to get each namespace and doing the binding for each namespace, an automation script could help in the process to do it n times (1 time for each namespace).

You can get only namespaces column name using the following kubectl command:

kubectl get ns --all-namespaces --no-headers -o custom-columns=":metadata.name"

Getting something like this:

default
kube-public
kube-system

Which can be used to iterate them using a binding automation script.

-- Victor_Torres
Source: StackOverflow