-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support using workload identity to bake cookies #15807
Conversation
A+ PR title |
|
||
user="$(grep -o -E '[^"]+@[^"]+' "$creds")" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing uses this, so dropped
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to consider making this a Go program or leveraging something like Authentikos
moving forward for issuing Oauth tokens?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clarketm, fejta The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
Thanks!
SGTM, especially if we move the tool to our common tooling repo (kubernetes/test-infra). Given the zero maintenance burden I don't consider either of these a pressing issue: https://github.com/kubernetes/test-infra/commits/master/prow/cmd/grandmatriarch /hold cancel |
ref #15806
/assign @BenTheElder @clarketm
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_workload_identity_on_an_existing_cluster
When workload identity is configured, the pod's service account is automatically bound to a GCP service account. Therefore we do not need to send it a secret.json file (which cannot be stolen since it doesn't exist)