Use Case k8s Allowed Network Policy workload identity GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)

  • Namespace: uc-workload-identity

We will use pubsub topic ACL’s to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace β€˜appconfigmgrv2-system’. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google API’s.

gsutil cat  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-workload-identity/deploy-apps.yaml | kubectl apply -f -

*NOTE - will document vault in wiki

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq

Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work

curl "http://$INGRESS_NO_ISTIO_HOST/testcallseq?call1=http://workload-identity-pubsub-app.uc-workload-identity:8000?gcpProjectID=$PROJECT_NAME&topic=workload-identity-topic&message=hello"

gcloud pubsub subscriptions pull --auto-ack  workload-identity-topic --page-size 20 --limit 20 --project $PROJECT_NAME


host:hello-app-drv-py-1-677775646f-b8gm5
Publish Success: 776104906071903
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  DATA  β”‚    MESSAGE_ID   β”‚ ATTRIBUTES β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ hello1 β”‚ 608858688012712 β”‚            β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜