覆盖 Kubernetes 中部署的 spring 引导应用程序使用的默认服务帐户

Question

Problem statement:

I have deployed a spring boot app which when on starting always uses default compute engine service account credentials to authenticate the app, i have a created a seperate service account and key but not able to replace the default one. i tried specifying the new service account in deployement.yaml by using "serviceAccountName" field but still got the error saying service account eg:"xyz" not found.

serviceAccountName: {{.Values.serviceAccountName }}

so how can i override default service account of compute engine with a specific service account and define it in deployment.yaml.

if i add the credentials of new service account in app code base it will work but that is not a best practice to do so, please someone help me on resolving this issue

snippet of my deployment.yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: helloworld
    appVersion: {{ .Values.appVersion }}
  name: helloworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
  template:
    metadata:
      labels:
        app: helloworld
        environment: {{ .Values.environment }}
    spec:
      containers:
        - name: helloworld
          image: {{ .Values.imageSha }}
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1000
          ports:
            - containerPort: 8080
          env:
          - name: SPRING_CONFIG_LOCATION
            value: "/app/deployments/config/"          
          volumeMounts:
            - name: application-config
              mountPath: "/app/deployments/config"
              readOnly: true
      volumes:
      - name: application-config
        configMap:
          name: {{ .Values.configMapName }}
          items:
          - key: application.properties
            path: application.properties

Answer 1

I think you should use Workload Identity which allows to access Google Cloud from outside.

Workload Identity is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability. For information about alternative ways to access Google Cloud APIs from GKE, refer to the alternatives section below.

Above guide is well described and I think it should resolve your issue.

For additional example, you can check one of the Community Tutorial - Using Kubernetes Workload Identity for client-server authorization .

In GKE, the Workload Identity feature allows these identities to also be associated with IAM service accounts. This allows a pod running as a Kubernetes service account to act as the associated service account for authorized access to Google APIs and to services that verify identity based on Google Cloud-specific OIDC.

Both docs have examples which should help you to adjust Workload Identity to your needs.