zuul
/
gcp-authdaemon
Code Issues Proposed changes
A Zuul authorization helper for Google Cloud
2 Commits 1 Branch 0 Tags 62 KiB
Python 96%
Dockerfile 4%
Go to file
James E. Blair 95d5ae41c2 Initial commit 
Change-Id: I1fa5972fc6c6f9f49e993f3dc34f7fcfd6c63d32
 		2020-02-12 09:41:07 -08:00
.gitreview Added .gitreview 2020-02-10 22:48:51 +00:00
.zuul.yaml Initial commit 2020-02-12 09:41:07 -08:00
Dockerfile Initial commit 2020-02-12 09:41:07 -08:00
LICENSE Initial commit 2020-02-12 09:41:07 -08:00
README Initial commit 2020-02-12 09:41:07 -08:00
authdaemon.py Initial commit 2020-02-12 09:41:07 -08:00

README 

An authorization daemon for Google Cloud.

This repo builds a container image which runs a special-purpose
authorization daemon.  It is intended to be run in Google Cloud
(particularly in Google Kubernetes Engine).  The daemon periodically
fetches a bearer token from the Google Cloud metadata service and
writes it to a location on disk.

Running Zuul in GKE with access to service account credentials can be
complicated because the executor does not limit access to the URLs
from which they are fetched.  This means that, without a solution such
as this, even untrusted jobs may be able to access these credentials.

However, with this daemon, Zuul may be configured to run in GKE with
Workload Identity enabled so that the executor does not have access to
service account credentials.  This daemon may be run with access to
credentials and will fetch them write them to a shared volume that may
then be exposed by the executor to trusted (but not untrusted) jobs.