Shoot Workload Identity
WorkloadIdentity
is a resource that allows workloads to be presented before external systems by giving them identities managed by Gardener. As WorkloadIdentity
s do not directly contain credentials we gain the ability to create Shoot
s without the need of preliminary exchange of credentials. For that to work users should establish trust to the Gardener Workload Identity Issuer in advance. The issuer URL can be read from the Gardener Info ConfigMap.
TIP
Shoot
s that were previously using Secret
s as authentication method can also be migrated to use WorkloadIdentity
. As the credentialsRef
field of CredentialsBinding
is immutable, one would have to create a new CredentialsBinding
that references a WorkloadIdentity
and set the .spec.credentialsBindingName
field of the Shoot
to refer to the newly created CredentialsBinding
.
As of now WorkloadIdentity
is supported for AWS, Azure and GCP. For detailed explanation on how to enable the feature, please consult the provider extension specific documentation: