[DO NOT MERGE] POC: Enable Lustre CSI Driver to Impersonate Pod Service Account #196
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tyuchn
changed the title
tyuchn
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
POC: Enable Lustre CSI Driver to Impersonate Pod Service Account
What this PR does
This PR serves as a Proof of Concept (POC) to demonstrate that the Lustre CSI driver can impersonate the k8s service account of the pod it is mounting a volume for.
This is achieved by using Workload Identity to exchange the pod's service account token for a Google Cloud IAM token, which is then used to authorize API calls against the Lustre service.
Success Criteria
The primary success criterion is that the CSI driver can successfully use the pod's assigned service account to call the Lustre API, GET the instance, and mount the volume without a
permission deniederror.Verification Steps
The following steps outline the test case, showing the state of the pod before and after the correct IAM permissions are applied. The CSI driver is deployed in a GKE cluster with workload identity enabled.
1. Create a Kubernetes Service Account
First, create the service account for the pod.
2. Create a Pod Using the Service Account
Next, create a pod that uses the service account and requests a Lustre volume.
Result (Before IAM Binding): At this stage, the pod will be stuck in the
ContainerCreatingstatus. The CSI driver logs will show a permission denied error when it attempts to call the Lustre API to get instance details, causing the mount to fail.3. Grant IAM Permissions to the Service Account
Bind the
roles/lustre.viewerrole to the Kubernetes service account via Workload Identity.gcloud projects add-iam-policy-binding projects/tyuchn-joonix \ --role=roles/lustre.viewer \ --member=principal://iam.googleapis.com/projects/693257449117/locations/global/workloadIdentityPools/tyuchn-joonix.svc.id.goog/subject/ns/default/sa/lustre-pod-sa4. Verify the Pod is Running
Result (After IAM Binding): Shortly after the IAM policy is applied, the pod's status will change to
Running. The CSI driver logs will confirm that it successfully validated the instance by calling the Lustre API, and the volume mount is completed without any permission issues.