As a continuation of the Google CSE Labels Integration, please follow these steps to successfully configure the Attribute-based Access Control (ABAC) feature on your Kubernetes server. This document assumes you have completed the Google Console/Admin Changes.
Prior to making the changes below, we recommend creating a copy of the existing /cse
directory in GKE. In the values.yaml
file, the following have been introduced below:
Step 1: Deploy CSE labels via Helm
- Create a
'keyfile-secret.yaml'
file in the/cse
directory using the information from keyFile.json that was generated with the Service Account in Step 2 of the GCP portion.
Note that this is meant to serve as an example and the actual deployment methods and Kubernetes secrets management may differ from your environment. Please make sure your charts are formatted properly. Improper formats or space will cause an error.
apiVersion: v1
kind: Secret
metadata:
name: keyfile-secret
namespace: virtru
type: Opaque
stringData:
keyFile.json: |
{contents of the downloaded keyFile.json from Step 2}
- Apply the secret:
kubectl apply -f ./keyfile-secret.yaml
- Verify the secret has been created by running:
kubectl get secrets -n virtru
- Modify the values.yaml file to add the CSE Drive labels:
appConfig:
driveLabels:
enabled: "true"
serviceAccountEmail: "<your-service-account-email>" ###Must be an admin that has access to Labels and Drive
appSecrets:
googleApplicationCredentials: /app/cse/credentials.json
volumes:
- name: credentials-volume
secret:
secretName: keyfile-secret
items:
- key: keyFile.json
path: credentials.json
volumeMounts:
- mountPath: /app/cse/credentials.json
subPath: credentials.json - Deploy with Helm:
helm upgrade --install cse . -f values.yaml
- Check Service and Retrieve URL and Verify LoadBalancer IP:
kubectl get svc --namespace default cse
Step 2: Verification and Testing
- Verify the deployment:
kubectl get pods -n virtru
kubectl logs <pod-name> -n virtru
- Test by creating a blank encrypted file in Google Drive
- Apply a label to the file that matches the parameters as described in Steps 1-5 (link)
- Share the file with authorized parties, and also with a user(s) that should not have access to viewing, or editing the file, as a test.
The intended experience will be:
- Authorized parties: Will be able to view, edit the file (depending on permissions set)
- Unauthorized parties: Will be presented with a message “Key service responded with an error. Contact your admin.”
Usage Limits
As this feature flag leverages the Drive Labels API, there are some Google-specific limitations to keep in mind. These limitations and details are linked below for your reference: