Skaffold: kaniko builds should work with GKE workload identity

Created on 31 Dec 2019 · 9Comments · Source: GoogleContainerTools/skaffold

Expected behavior

My expectation is that skaffold kaniko builds would work with GKE workload identity

Actual behavior

skaffold kaniko pods end up setting the environment variable GOOGLE_APPLICATION_CREDENTIALS.

As a result, kaniko pods will not try to use workload identity but instead look for the GCP secret to be provided in the location specified by the secret.

Information

Skaffold version: v1.1.1
Operating system: ...
Contents of skaffold.yaml:

apiVersion: skaffold/v2alpha1
kind: Config
metadata:
  name: label-microservice
build:
  artifacts:
  - image: gcr.io/issue-label-bot-dev/bot-worker
    # Set the context to the root directory. 
    # All paths in the Dockerfile should be relative to this one.
    context: ..
    # Automatically sync python files to the container. This should avoid
    # the need to rebuild and redeploy when the files change.
    # TODO(https://github.com/GoogleContainerTools/skaffold/issues/3448): We use manual sync
    # because inferred sync doesn't work
    #
    # This only works if we autorestart the program on changes.
    sync:
        manual:
        - src: 'py/code_intelligence/*.py'
          dest: '/'
        - src: 'py/label_microservice/*.py'
          dest: '/'
    kaniko:
      dockerfile: Label_Microservice/deployment/Dockerfile.worker
      buildContext:
        gcsBucket: issue-label-bot-dev_skaffold-kaniko
      cache: {}
  cluster:    
    # TODO(jlewi): This should be changed for each developer; or maybe we should create a reusable one?
    namespace: kaniko
    resources:
      requests:
        cpu: 8
        memory: 16Gi

deploy:
  kustomize:
    path: deployment/overlays/dev

Steps to reproduce the behavior

a clonable repository with the sample skaffold project
skaffold <command>
...

arebuild builkaniko good first issue help wanted kinfeature-request prioritp3

Source

jlewi

Most helpful comment

Per: GoogleContainerTools/kaniko#968 kaniko works just fine with workload identity. So the issue is just properly configuring the kaniko pod so that WI works. Specifically

Don't set GOOGLE_APPLICATION_CREDENTIALS
Make the K8s service account configurable

jlewi on 4 Aug 2020

👍2

All 9 comments

@jlewi Thanks for opening this issue. At this time, we don't have a clear understanding of workload identity. I will look into what (if any) pod config is required for kaniko pod and then follow up here in skaffold.

Thanks

tejal29 on 15 Jan 2020

@tejal29 Thanks. If you are using Google Cloud Client libraries to get credentials you shouldn't need to do anything. The client libraries should attempt to contact the metadata server to get credentials if GOOGLE_APPLICATION_CREDENTIALS isn't set.

jlewi on 17 Jan 2020

This should be relatively easy to implement.
We can add a skipGcpCredentials flag to build.artifact.kaniko.

balopat on 30 Jan 2020

@balopat - seems reasonable. Alternatively, if we just remove GOOGLE_APPLICATION_CREDENTIALS from kaniko, shouldn't it do the right thing with newer libraries?

tstromberg on 30 Apr 2020

I think you still want GOOGLE_APPLICATION_CREDENTIALS for a way to supply GCR credentials on a non-GKE cluster?

And does kaniko use Google Cloud Client libraries to get credentials?

chanseokoh on 30 Apr 2020

cc @tejal29 do you know? also, is anyone interested in fixing this one?

nkubala on 30 Jul 2020

Workload identity also depends on being able to set the K8s service account in order to control the GCP identity that is used.

On GKE/GCP it is increasingly common to disallow exporting of service account keys. So this is becoming a blocker.

jlewi on 4 Aug 2020

Per: GoogleContainerTools/kaniko#968 kaniko works just fine with workload identity. So the issue is just properly configuring the kaniko pod so that WI works. Specifically