GKE Workload Identity service account for all namespaces

1
votes

I'm following the guide to setup GCP's Workload Identity and have it working for a service account configured against the default Kubernetes namespace as below:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:[PROJECT_ID].svc.id.goog[default/[KSA_NAME]]" \
  [GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com

I'm wondering if there is a way to create the binding for all k8s namespaces; something like below, where I've replaced the default namespace with *:

--member "serviceAccount:[PROJECT_ID].svc.id.goog[*/[KSA_NAME]]"

Is there any way to do this?

1
kubernetesgoogle-cloud-platformgoogle-kubernetes-enginegoogle-iam

1 Answers

0
votes

There is no way to set all namespaces to a Kubernetes Service Account(KSA). Maybe you would have to get each namespace and doing the binding for each namespace, an automation script could help in the process to do it n times (1 time for each namespace).

You can get only namespaces column name using the following kubectl command:

kubectl get ns --all-namespaces --no-headers -o custom-columns=":metadata.name"

Getting something like this:

default
kube-public
kube-system

Which can be used to iterate them using a binding automation script.