Support Application Default Credentials or Workload Identity when running in GCP #311
Comments
k8s-ci-robot
added
the
kind/feature
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
/lifecycle frozen |
|
@detiber: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
lifecycle/frozen
|
/assign |
|
This would be really useful, at least if initially Application Default Credentials were supported - use of Workload Identity from within a Management cluster running on GKE could be built on top of that. @prksu are you currently still working on this? I'd like to see if I can contribute to this if needed. |
/kind feature
Describe the solution you'd like
Exporting service account credentials and storing in K8S secret store introduces an unnecessary secret and potential point of compromise if the cluster API provider is running inside GCP.
In this case, the provider should first look for Application Default Credentials or use workload identity before requiring service account credential keys.
The text was updated successfully, but these errors were encountered: