Red Hat OpenShift Dedicated clusters on Google Cloud now support Workload Identity Federation (WIF) which is used to authenticate, authorize and access Google Cloud resources without the need for static credentials. This allows OpenShift Dedicated clusters to be deployed with short-lived, least privilege access credentials, reducing the need for maintenance and the security burden associated with the identity and access management (IAM) service account keys.
This article gives a short overview of Google CloudWIF and explains how it helps overcome the challenges around the use of long-lived credentials.
Current challenges
Prior to rollout of support for WIF, OpenShift Dedicated requires the user to create an osd-ccs-admin
service account with a broad set of permissions. The user must create a service account JSON key in the Google Cloud console for this service account, and then export the key to use it while creating the OpenShift Dedicated cluster on Google Cloud.
While using a service account is a valid Google Cloud IAM method for accessing Google Cloud resources, it requires an expansive set of permissions and the service account keys have indefinite lifetimes. The end user has to manage the overhead of securing and maintaining these service account keys, which can be a security risk if not managed correctly. For this reason, Google Cloud recommends using WIF rather than service account keys.
What is Workload Identity Federation and how is it used in the context of OpenShift Dedicated?
Workload Identity Federation (WIF) is a capability of Google Cloud IAM, and provides a keyless authentication mechanism for calling Google Cloud APIs.
OpenShift can be configured to use temporary credentials for different components with Google Cloud WIF. This enables an authentication flow allowing a component to assume an IAM service account resulting in short-lived credentials. It also automates requesting and refreshing of credentials using an OpenID Connect (OIDC) identity provider. OpenShift can sign service account tokens trusted by the provider which can be projected into a pod and used for authentication.
With WIF, OpenShift Dedicated no longer needs the broader set of permissions required on the osd-ccs-admin
service account. This meta service account is broken down into service accounts required by individual OpenShift components, and the least amount of roles and permissions are assigned to these service accounts.
Deploying OpenShift Dedicated using short-lived, least privileged access credentials
WIF is only supported on OpenShift Dedicated version 4.17.0 or higher.
At a high-level, users must follow these steps to deploy OpenShift Dedicated using WIF:
- Complete prerequisites to provision a WIF-enabled OpenShift Dedicated cluster. This includes roles and required APIs that must be enabled at the Google Cloud project level, gcloud and OpenShift Cluster Manager command-line interfaces (CLIs) that must be installed and steps to authenticate with the gcloud CLI
- Register a WIF configuration (
wif-config
) using the OpenShift Cluster Manager CLI. This step creates the IAM resources needed to deploy OpenShift Dedicated on Google Cloud using short-lived credentials - Select ‘Workload Identity Federation’ authentication type while triggering an OpenShift Dedicated installation via the OpenShift Cluster Manager (OCM) Hybrid Cloud Console or using OpenShift Cluster Manager CLI
Since WIF is an install-time setting, existing OpenShift Dedicated clusters deployed on Google Cloud cannot be edited to support this new authentication type. You have to create new clusters to enable use of WIF.
Refer to the OpenShift Dedicated documentation for more details on prerequisites and steps to create an OpenShift Dedicated cluster on Google Cloud using WIF authentication type.
There is no additional cost for provisioning OpenShift Dedicated clusters on Google Cloud with WIF.
Try OpenShift Dedicated from the Google Cloud Marketplace
OpenShift Dedicated purchased from the Google Cloud Marketplace is an easy and self-service way to try OpenShift Dedicated with a flexible pay-as-you-go consumption model. You can also use a portion of your Google Cloud committed spend when purchasing OpenShift Dedicated.
OpenShift Dedicated is a fully-managed application platform that helps you quickly build, deploy and scale applications, rather than having to deal with the underlying infrastructure yourself. Get started with OpenShift Dedicated on Google Cloud today.
Learn more
- Learn more about Google Cloud Workload Identity Federation
- Learn more about OpenShift Dedicated on GCP
- OpenShift Dedicated on Google Cloud Marketplace listing
- Steps to Create a cluster with Workload Identity Federation in OpenShift Dedicated documentation
Sobre el autor
Shreyans Mulkutkar is a Senior Product Manager focused on Red Hat OpenShift Cloud Services. He is interested in cloud computing, distributed systems and the cloud-native ecosystem. Shreyans has a decade of experience in both product management and engineering disciplines. He is passionate about building innovative hybrid cloud enterprise software products and making complex technical offerings easy to understand for customers.
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit