If you have enabled Workload Identity on your GKE cluster (a requirement for Anthos Service Mesh), follow these instructions to ensure that Bank of Anthos pods can communicate with GCP APIs.
Note - These instructions have only been validated in GKE on GCP clusters. Workload Identity is not yet supported in Anthos GKE on Prem.
-
Set up Workload Identity on your GKE cluster using the instructions here. These instructions create the Kubernetes Service Account (KSA) and Google Service Account (GSA) that the Bank of Anthos pods will use to authenticate to GCP. Take note of what Kubernetes
namespace
you use during setup. -
Add IAM Roles to your GSA. These roles allow workload identity-enabled Bank of Anthos pods to send traces and metrics to GCP.
PROJECT_ID=<your-gcp-project-id>
GSA_NAME=<your-gsa>
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role roles/cloudtrace.agent
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role roles/monitoring.metricWriter
- Generate Bank of Anthos manifests using your KSA as the Pod service account. In
kubernetes-manifests/
, replaceserviceAccountName: default
with the name of your KSA. (Note - sample below is Bash.)
KSA_NAME=<your-ksa>
mkdir -p wi-kubernetes-manifests
FILES="`pwd`/kubernetes-manifests/*"
for f in $FILES; do
echo "Processing $f..."
sed "s/serviceAccountName: default/serviceAccountName: ${KSA_NAME}/g" $f > wi-kubernetes-manifests/`basename $f`
done
- Deploy Bank of Anthos to your GKE cluster using the install instructions above, except make sure that instead of the default namespace, you're deploying the manifests into your KSA namespace:
NAMESPACE=<your-ksa-namespace>
kubectl apply -n ${NAMESPACE} -f ./wi-kubernetes-manifests