![]() We start by creating our GKE cluster :Įnter fullscreen mode Exit fullscreen mode.The first step is to create and configure our GKE devops cluster. Note: At the time of writing this post, when you enable Workload identity you will not be able to use some GKE add-ons like Istio, Config Connector or Application Manager on default nodepool because they depend on Compute Engine metadata server and Workload identity uses GKE metadata server.įor this reason, I often recommend having a dedicated GKE cluster for Gitlab runners to avoid any errors for your business workload. ![]() ![]() The workload identity add-on provided in Google Kubernetes Engine allows you to bind the Kubernetes Service Account associated with the specific runner to the Google service account. The alternative that Google Cloud proposes for customers is to enable Workload Identity add-ons. You can continue to use GSA keys in Gitlab CI and secure the keys with external tools like Vault and Forseti, but this will add additional tools to manage. They use specific runners deployed in a Google Kubernetes Engine cluster but do not use (or do not know about) Workload Identity add-ons.There are 2 common reasons for developers to store GCP credentials in Gitlab CI: When a Google Service Accounts Key is saved in Gitlab, we face all the security issues of storing credentials outside of the cloud infrastructure: Access, authorization, key rotation, age, destruction, location, etc. How many service account keys are stored per day as variables in the Gitlab CI configuration?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |