I've configured my cluster and node pools for Workload Identity (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) but in order to get it to work, I need to also make my pods use the kubernetes service account I created for the Workload Identity.
I see I can specify the serviceAccountName in a pod's YAML, but how can I do this using Google CI/CD which uses deployment.yaml? Or can I somehow reference a pod's YAML for use as a spec template within my deployment.yaml? Sorry, I am new to k8s!
Ref. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Essentially, I am just trying to get Workload Identity to work with my application so the GOOGLE_APPLICATION_CREDENTIALS is set by Google for use within my app!
I've tried the following in my deployment.yaml but I get the error unknown field "serviceAccountName" in io.k8s.api.core.v1.Container;:
spec:
replicas: 3
selector:
matchLabels:
app: my-application
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: my-application
spec:
containers:
- image: >-
gcr.io/my-project/github.com/my-org/my-repo
imagePullPolicy: IfNotPresent
name: my-application
serviceAccountName: my-k8s-svc-acct
serviceAccountName is a property of the pod spec object, not the container. So, it should be:
spec:
replicas: 3
selector:
matchLabels:
app: my-application
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: my-application
spec:
serviceAccountName: my-k8s-svc-acct
containers:
- image: >-
gcr.io/my-project/github.com/my-org/my-repo
imagePullPolicy: IfNotPresent
name: my-application