This extends the previous example by enabling Workload Identity integration. This requires 4 additional resources:
- Google service account (GSA)
- Sqlclient permission for GSA. Currently this step is done via gcloud command, however soon it will be possible to configure individual binding declaratively.
- Kubernetes service account (KSA) annotated with GSA
- Workload identity permission for GSA that links GSA and KSA
In this sample there's no longer needed to mount keys in the pod configuration as SQL client permissions are propagated through Kubernetes service account. Note: don't forget serviceAccountName field in pod config.
-
Deploy:
kubectl apply -f resources/
-
Wait for sql instance to be ready
# Note that you can wait on the proxy resources too kubectl wait --for=condition=Ready sqlinstance/wp-db --timeout=30m kubectl wait --for=condition=Ready sqluser/wordpress --timeout=30m # But ultimately you need to wait on the pod to be created kubectl wait --for=condition=Ready pods/wordpress-0 --timeout=30m
As an additional extension, this example demonstrates the use of gatekeeper. First it applies the release version of gatekeeper, then applies constraint template.
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/agilebank/templates/k8scontainterlimits_template.yaml
kubectl delete -f resources/
kubectl delete pvc wordpress-volume-2-wordpress-0
bash undeploy.sh