I’m running the Percona Operator for PostgreSQL and trying to hook it up to cloud workload identity (GKE / IRSA style auth).
I tried setting a Kubernetes ServiceAccount on my Postgres instance pods through the PerconaPGCluster CR, but the operator rejects it and says serviceAccountName isn’t supported for instance pods.
Something like this:
spec:
instances:
- name: instance1
replicas: 1
metadata:
serviceAccountName: my-ksa
What I’m trying to do is use gcsfuse to mount a GCS bucket into the database pod’s filesystem so Postgres can read CSV files and do a fast init / bulk load (COPY, etc) without downloading them manually. For that to work, the pod needs to run under a KSA that’s bound to a GSA via Workload Identity.
So I’m wondering:
-
Is there any supported way to set a ServiceAccount for Postgres or pgBackRest pods?
-
Or is the idea that we should use the ServiceAccounts created by the operator and just annotate those for workload identity?
-
If that’s the case, which ServiceAccount actually needs the cloud permissions (instance pods, pgBackRest, or something else)?
Would love to hear how others are doing this in the real world.