Workload Identity Authentication for Knative v0.14.0 on GKE

If you ever used Knative on Google Cloud, you must have heard of Knative-GCP project. As the name suggests, Knative-GCP project provides a number of sources such as CloudPubSubSource, CloudStorageSource, CloudSchedulerSource and more to help reading various Google Cloud sources into your Knative cluster.

I recently updated my Knative Tutorial to use the latest Knative Eventing release v0.14.2 and its corresponding Knative-GCP release v0.14.0. I ran into a weird authentication problem that I want to outline here.

One of the notable differences in the latest Knative-GCP release is that now it supports Workload Identity (in addition to existing Kubernetes Secret) as an authentication mechanism for Control and Data Plane (or so it is claimed in the docs). Moreover, the docs state that Workload Identity is the recommended way to access Google Cloud services from within GKE due to its improved security properties and manageability.

As I was following the Install Knative GCP page, I couldn’t get the Control Plane working. Turns out the Workload Identity is only supported for the Data Plane but not for the Control Plane in Knative-GCP release v0.14.0.

Since then, the installation page has been updated to include the following:

Option 1 (Recommended): Use Workload Identity. Note: Now, Workload Identity for the Control Plane only works if you install the Knative-GCP Constructs from the master. If you install the Knative-GCP Constructs with our latest release (v0.14.0) or older releases, please use option 2

This basically means You can install the master version of Knative-GCP or wait for the next release to get Workload Identity working for both Control and Data Planes. Or, you can setup Workload Identity only for the Data Plane and use the Kubernetes Secret authentication for Control Plane in the meantime.

Hope this helps someone out there!

See also