A Kubernetes admission webhook that automatically injects Google Cloud Workload Identity Federation (WIF) configuration into pods, eliminating the need for service account keys.
This webhook transparently configures pods to use WIF for Google Cloud authentication by:
- Injecting projected ServiceAccount tokens as volumes
- Setting the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable - Configuring WIF provider endpoints
- Zero-touch WIF injection: Automatically configures all pods by default with no manual setup
- Opt-out model: Use annotations to disable injection when needed
- Two WIF modes: Direct federated identity or service account impersonation
- Environment-driven config: Configure via environment variables
- Minimal overhead: Lightweight admission controller with fast processing
The webhook is configured via environment variables:
WORKLOAD_IDENTITY_PROVIDER: WIF provider path (e.g.,projects/123/locations/global/workloadIdentityPools/pool/providers/provider)GOOGLE_CLOUD_PROJECT: GCP project ID for workload identity
To disable WIF injection:
Namespace-level (all pods in namespace):
metadata:
annotations:
workload-identity.io/injection: "disabled"Pod-level:
metadata:
annotations:
workload-identity.io/inject: "false"For service account impersonation mode, add:
metadata:
annotations:
iam.gke.io/gcp-service-account: "[email protected]"The webhook is distributed as a container image:
image: ghcr.io/groq/k8s-wif-webhook:latestSee the releases page for specific versions.
Apache 2.0