
Explanation:
Workload Identity Federation allows Kubernetes ServiceAccounts to impersonate GCP service accounts with minimal permissions per workload, avoiding keys. Shared node SA is broad, keys in secrets are insecure, allAuthenticatedUsers too open.
Ultimate access to all questions.
You want each team's GKE workloads to access different GCP resources with least privilege. Best pattern?
A
One node pool SA with all permissions
B
Workload Identity Federation for GKE: map each Kubernetes ServiceAccount to its own Google SA with narrow roles
C
Key files per namespace in Secrets
D
allAuthenticatedUsers on the buckets
No comments yet.