{"id":24611,"date":"2026-05-29T06:07:17","date_gmt":"2026-05-29T06:07:17","guid":{"rendered":"https:\/\/umang.pk\/2026\/05\/29\/%da%af%d9%88%da%af%d9%84-%da%a9%d9%84%d8%a7%d8%a4%da%88-%d8%b3%d8%b1%d9%88%d8%b3%d8%b2-%d8%a7%d9%88%d8%b1-%d8%a2%d9%86-%d9%be%d8%b1%db%8c%d9%85%db%8c%d8%b3%d8%b3-kubernetes-%d8%a7%d9%86%d9%81%d8%b1\/"},"modified":"2026-05-29T06:07:17","modified_gmt":"2026-05-29T06:07:17","slug":"%da%af%d9%88%da%af%d9%84-%da%a9%d9%84%d8%a7%d8%a4%da%88-%d8%b3%d8%b1%d9%88%d8%b3%d8%b2-%d8%a7%d9%88%d8%b1-%d8%a2%d9%86-%d9%be%d8%b1%db%8c%d9%85%db%8c%d8%b3%d8%b3-kubernetes-%d8%a7%d9%86%d9%81%d8%b1","status":"publish","type":"post","link":"https:\/\/umang.pk\/en_us\/2026\/05\/29\/%da%af%d9%88%da%af%d9%84-%da%a9%d9%84%d8%a7%d8%a4%da%88-%d8%b3%d8%b1%d9%88%d8%b3%d8%b2-%d8%a7%d9%88%d8%b1-%d8%a2%d9%86-%d9%be%d8%b1%db%8c%d9%85%db%8c%d8%b3%d8%b3-kubernetes-%d8%a7%d9%86%d9%81%d8%b1\/","title":{"rendered":"\u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u0633\u0631\u0648\u0633\u0632 \u0627\u0648\u0631 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 Kubernetes \u0627\u0646\u0641\u0631\u0627\u0633\u0679\u0631\u06a9\u0686\u0631 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u06cc\u0633\u06d2 \u0628\u0646\u0627\u06cc\u0627 \u062c\u0627\u0626\u06d2"},"content":{"rendered":"\n<div id=\"\">\n<p>\u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba\u060c \u0622\u067e \u0633\u06cc\u06a9\u06be\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u06a9\u0633 \u0637\u0631\u062d \u0627\u06cc\u06a9 \u0645\u062d\u0641\u0648\u0638\u060c \u062a\u0648\u0633\u06cc\u0639 \u067e\u0630\u06cc\u0631 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u0648 \u0688\u06cc\u0632\u0627\u0626\u0646 \u0627\u0648\u0631 \u0628\u0646\u0627\u0646\u0627 \u06c1\u06d2 \u062c\u0648 \u0622\u067e \u06a9\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 Kubernetes \u0627\u0646\u0641\u0631\u0627\u0633\u0679\u0631\u06a9\u0686\u0631 \u06a9\u0648 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0633\u06d2 \u062c\u0648\u0691\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u06cc\u067e\u0633 \u06a9\u0648 \u06a9\u0644\u0627\u0624\u0688 \u0633\u0631\u0648\u0633\u0632 (\u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 GPUs) \u06a9\u0648 \u06a9\u0645\u0632\u0648\u0631 \u0637\u0648\u06cc\u0644 \u0645\u062f\u062a\u06cc \u06a9\u0644\u06cc\u062f\u0648\u06ba\u060c \u062f\u0633\u062a\u06cc \u0627\u0633\u0646\u0627\u062f \u06a9\u06d2 \u0627\u0646\u062a\u0638\u0627\u0645\u060c \u06cc\u0627 \u062e\u0637\u0631\u0646\u0627\u06a9 \u0646\u06cc\u0679 \u0648\u0631\u06a9 \u067e\u06cc\u0679\u0631\u0646 \u06a9\u06d2 \u0628\u063a\u06cc\u0631 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u06cc\u06c1 \u06a9\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06c1\u06d2:<\/p>\n<ul>\n<li>\n<p>\u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0627\u0646\u062c\u06cc\u0646\u0626\u0631\u0632\u060c SREs\u060c \u0627\u0648\u0631 \u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u067e\u0631 \u0645\u0631\u06a9\u0648\u0632 \u06a9\u0644\u0627\u0624\u0688 \u0622\u0631\u06a9\u06cc\u0679\u06cc\u06a9\u0679\u0633 \u062c\u0648 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u0648\u0631 \u06a9\u0644\u0627\u0624\u0688 Kubernetes \u0627\u062b\u0627\u062b\u0648\u06ba \u06a9\u0627 \u0645\u0631\u06a9\u0628 \u0686\u0644\u0627 \u0631\u06c1\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>\u062c\u0646 \u0679\u06cc\u0645\u0648\u06ba \u06a9\u0648 \u0622\u067e\u0631\u06cc\u0634\u0646\u0644 \u0627\u0648\u0648\u0631 \u06c1\u06cc\u0688 \u0627\u0648\u0631 \u0628\u0644\u0627\u0633\u0679 \u0631\u06cc\u0688\u06cc\u0626\u0633 \u06a9\u0648 \u06a9\u0645 \u0633\u06d2 \u06a9\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 GCP \u0648\u0633\u0627\u0626\u0644 (\u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 GPU \u0645\u062b\u0627\u0644\u0648\u06ba) \u062a\u06a9 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0648\u0631\u06a9 \u0628\u0648\u062c\u06be \u0633\u06d2 \u0642\u0627\u0628\u0644 \u062a\u0648\u0633\u06cc\u0639\u060c \u0642\u0627\u0628\u0644 \u0633\u0645\u0627\u0639\u062a \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<\/ul>\n<p>\u0622\u067e \u06a9\u0648 \u0627\u0633 \u06af\u0627\u0626\u06cc\u0688 \u0633\u06d2 \u06a9\u06cc\u0627 \u0645\u0644\u06d2 \u06af\u0627:<\/p>\n<ul>\n<li>\n<p>\u06c1\u0627\u0626\u0628\u0631\u0688 \u0627\u067e\u0631\u0648\u0686 \u06a9\u06d2 \u0645\u062d\u0631\u06a9\u0627\u062a \u0627\u0648\u0631 \u0645\u0639\u0627\u0634\u06cc\u0627\u062a (\u062c\u06cc \u067e\u06cc \u06cc\u0648\u0632 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u0648 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0631 \u06a9\u06cc\u0648\u06ba \u062f\u06be\u06a9\u06cc\u0644\u062a\u06d2 \u06c1\u06cc\u06ba)<\/p>\n<\/li>\n<li>\n<p>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc\u0632 \u06a9\u06d2 \u0639\u0627\u0645 \u0646\u0642\u0635\u0627\u0646\u0627\u062a \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u062c\u0627\u0646\u06cc\u06ba \u0627\u0648\u0631 \u062c\u0627\u0646\u06cc\u06ba \u06a9\u06c1 \u062d\u0642\u06cc\u0642\u06cc \u062f\u0646\u06cc\u0627 \u06a9\u06d2 \u0645\u0627\u062d\u0648\u0644 \u0645\u06cc\u06ba &#8216;\u062d\u0627\u062f\u062b\u0627\u062a\u06cc \u06c1\u0648\u0627 \u06a9\u06d2 \u0641\u0631\u0642&#8217; \u06a9\u06cc\u0633\u06d2 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0627\u06cc\u06a9 \u0639\u0645\u0644\u06cc \u0627\u06cc\u0646\u0688 \u0679\u0648 \u0627\u06cc\u0646\u0688 \u067e\u06cc\u0679\u0631\u0646 \u062c\u0648 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u06cc \u0634\u0646\u0627\u062e\u062a \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062a\u0627\u06a9\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u067e\u0648\u0688\u0632 \u06a9\u0648 \u0627\u06cc\u0645\u0628\u06cc\u0688\u0688 \u06a9\u06cc\u0632 \u06a9\u06d2 \u0628\u063a\u06cc\u0631 GCP \u062a\u06a9 \u0642\u0644\u06cc\u0644 \u0645\u062f\u062a\u06cc\u060c \u0642\u0627\u0628\u0644 \u0633\u0645\u0627\u0639\u062a \u0631\u0633\u0627\u0626\u06cc \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u06d2\u06d4<\/p>\n<\/li>\n<\/ul>\n<p>\u0634\u0627\u0645\u0644:<\/p>\n<ul>\n<li>\n<p>\u062a\u0635\u0648\u0631\u0627\u062a\u06cc \u0648\u0636\u0627\u062d\u062a\u06cc\u06ba\u060c \u062d\u0641\u0627\u0638\u062a\u06cc \u0641\u0648\u0627\u0626\u062f \u0627\u0648\u0631 \u0646\u0642\u0635\u0627\u0646\u0627\u062a\u060c \u0627\u0648\u0631 \u0622\u067e\u0631\u06cc\u0634\u0646\u0644 \u0628\u06c1\u062a\u0631\u06cc\u0646 \u0637\u0631\u06cc\u0642\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0679\u06be\u0648\u0633 \u0645\u062b\u0627\u0644\u06cc\u06ba \u0627\u0648\u0631 Kubernetes\/Terraform \u0646\u0645\u0648\u0646\u06d2 \u0622\u067e \u06a9\u0648 \u0627\u067e\u0646\u06d2 \u0645\u0627\u062d\u0648\u0644 \u0645\u06cc\u06ba \u0633\u06cc\u0679 \u0627\u067e \u06a9\u0648 \u062f\u0648\u0628\u0627\u0631\u06c1 \u062a\u06cc\u0627\u0631 \u06a9\u0631\u0646\u06d2 \u0645\u06cc\u06ba \u0645\u062f\u062f \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 (\u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u06a9\u06d2 \u0622\u062e\u0631 \u0645\u06cc\u06ba GitHub \u0630\u062e\u06cc\u0631\u06c1 \u0633\u06d2 \u0645\u0646\u0633\u0644\u06a9)<\/p>\n<\/li>\n<\/ul>\n<p>\u062a\u06be\u06cc\u0648\u0631\u06cc \u06a9\u0648 \u067e\u0691\u06be\u0646\u06d2 \u06a9\u06d2 \u0628\u0639\u062f\u060c GCP \u0648\u0633\u0627\u0626\u0644 \u06a9\u06cc \u0641\u0631\u0627\u06c1\u0645\u06cc \u06a9\u06d2 \u0644\u06cc\u06d2 \u06c1\u06cc\u0646\u0688 \u0622\u0646 \u0633\u06cc\u06a9\u0634\u0646 \u06a9\u06cc \u067e\u06cc\u0631\u0648\u06cc \u06a9\u0631\u06cc\u06ba\u060c \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u06a9\u0648 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u06ba\u060c CEL \u0627\u0648\u0631 Kyverno \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u067e\u0627\u0644\u06cc\u0633\u06cc\u0627\u06ba \u0646\u0627\u0641\u0630 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0627\u067e\u0646\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u0645\u062d\u0641\u0648\u0638\u060c \u0642\u0627\u0628\u0644 \u062a\u0648\u0633\u06cc\u0639 GPU \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u062a\u0648\u062b\u06cc\u0642 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<p><strong>\u0645\u06cc\u0645\u0648:<\/strong> Kubernetes \u0627\u0648\u0631 Terraform \u0646\u0645\u0648\u0646\u06d2 \u0627\u0633 \u062f\u0633\u062a\u0627\u0648\u06cc\u0632 \u06a9\u06d2 \u0622\u062e\u0631 \u0645\u06cc\u06ba GitHub \u06a9\u06d2 \u0630\u062e\u06cc\u0631\u0648\u06ba \u0633\u06d2 \u0645\u0646\u0633\u0644\u06a9 \u06c1\u06cc\u06ba\u06d4<\/p>\n<h2 id=\"heading-table-of-contents\">\u0627\u0646\u0688\u06cc\u06a9\u0633<\/h2>\n<h2 id=\"heading-prerequisites\">\u0634\u0631\u0627\u0626\u0637<\/h2>\n<p>\u0627\u0646 \u0627\u0642\u062f\u0627\u0645\u0627\u062a \u067e\u0631 \u0639\u0645\u0644 \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u067e\u06c1\u0644\u06d2\u060c \u0622\u067e \u06a9\u0648 \u0636\u0631\u0648\u0631\u062a \u06c1\u0648 \u06af\u06cc:<\/p>\n<ul>\n<li>\n<p>Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u0627\u0633 \u0637\u0631\u062d \u0644\u06af\u062a\u0627 \u06c1\u06d2: <strong>~ \u0646\u06c1\u06cc\u06ba<\/strong> GKE (\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633\u060c \u0646\u0646\u06af\u06cc \u062f\u06be\u0627\u062a\u060c \u06cc\u0627 \u0648\u0631\u0686\u0648\u0626\u0644 \u06a9\u0644\u0633\u0679\u0631)<\/p>\n<\/li>\n<li>\n<p>APIs \u062c\u06cc\u0633\u06d2 IAM\u060c \u0633\u06cc\u06a9\u0648\u0631\u0679\u06cc \u0679\u0648\u06a9\u0646 \u0633\u0631\u0648\u0633 (STS)\u060c \u0627\u0648\u0631 \u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc\u0679\u06cc \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0627\u06cc\u06a9 Google Cloud \u067e\u0631\u0648\u062c\u06cc\u06a9\u0679 \u0641\u0639\u0627\u0644 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0679\u06cc\u0631\u0627\u0641\u0627\u0631\u0645 \u06a9\u0648 \u0627\u0646\u0633\u0679\u0627\u0644 \u0627\u0648\u0631 \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>Kyverno \u06a9\u0644\u0633\u0679\u0631 \u067e\u0631 \u0646\u0635\u0628<\/p>\n<\/li>\n<li>\n<p>\u0627\u0632\u06af\u0631 3 <code>google-cloud-secret-manager<\/code> \u0627\u0648\u0631 <code>google-cloud-aiplatform<\/code> \u0644\u0627\u0626\u0628\u0631\u06cc\u0631\u06cc (\u062a\u0635\u062f\u06cc\u0642 \u06a9\u06d2 \u0645\u0631\u062d\u0644\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u06d4 \u06a9\u0648\u0688 \u06af\u06cc\u062a\u06be\u0628 \u0631\u06cc\u067e\u0648\u0632\u0679\u0631\u06cc \u0645\u06cc\u06ba \u062f\u0633\u062a\u06cc\u0627\u0628 \u06c1\u06d2)<\/p>\n<\/li>\n<li>\n<p><code>kubectl<\/code>    \u06a9\u0644\u0633\u0679\u0631 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"heading-why-hybrid-cloud-matters\">\u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u06a9\u06cc\u0648\u06ba \u0627\u06c1\u0645\u06cc\u062a \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2\u06d4<\/h2>\n<p>\u0627\u06af\u0631 \u0633\u0628 \u06a9\u0686\u06be \u0679\u06be\u06cc\u06a9 \u0631\u06c1\u0627 \u062a\u0648\u060c \u0627\u06cc\u06a9 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u0648\u0631 \u06a9\u0644\u0627\u0624\u0688 \u0648\u0631\u06a9 \u0628\u0648\u062c\u06be \u06a9\u0648 \u0627\u06cc\u06a9 \u062f\u0648\u0633\u0631\u06d2 \u0633\u06d2 \u0627\u0633 \u0637\u0631\u062d \u0628\u0627\u062a \u0686\u06cc\u062a \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06d2 \u06af\u0627 \u062c\u06cc\u0633\u06d2 \u0648\u06c1 \u0627\u06cc\u06a9 \u06c1\u06cc \u0646\u06cc\u0679 \u0648\u0631\u06a9 \u06a9\u0627 \u062d\u0635\u06c1 \u06c1\u0648\u06ba\u06d4<\/p>\n<p>\u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u0633\u06cc\u0679 \u0627\u067e \u0686\u0644\u0627\u0646\u06d2 \u06a9\u06cc \u0628\u06c1\u062a \u0633\u06cc \u0639\u0645\u0644\u06cc \u0648\u062c\u0648\u06c1\u0627\u062a \u06c1\u06cc\u06ba\u06d4<\/p>\n<ul>\n<li>\n<p><strong>BigQuery \u067e\u0631 \u062a\u062c\u0632\u06cc\u0627\u062a \u0622\u0641 \u0644\u0648\u0688 \u06a9\u0631\u06cc\u06ba:<\/strong> \u0622\u067e \u0627\u0636\u0627\u0641\u06cc \u0633\u0631\u0648\u0631\u0632 \u062e\u0631\u06cc\u062f\u06d2 \u0628\u063a\u06cc\u0631 \u0639\u0627\u0644\u0645\u06cc \u0645\u0639\u06cc\u0627\u0631 \u06a9\u06cc \u067e\u0631\u0648\u0633\u06cc\u0633\u0646\u06af \u067e\u0627\u0648\u0631 \u06a9\u06d2 \u0644\u06cc\u06d2 BigQuery \u0645\u06cc\u06ba \u0628\u0691\u06d2 \u0688\u06cc\u0679\u0627 \u0633\u06cc\u0679\u0633 \u06a9\u0648 \u067e\u0627\u0626\u067e \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062c\u0628\u06a9\u06c1 \u0688\u06cc\u0679\u0627 \u06a9\u06cc \u062e\u0648\u062f\u0645\u062e\u062a\u0627\u0631\u06cc \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u067e\u0646\u06cc \u0627\u06cc\u0646\u0627\u0644\u06cc\u0679\u06a9\u0633 \u0627\u06cc\u067e\u0633 \u06a9\u0648 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0631\u06a9\u06be\u062a\u06d2 \u06c1\u0648\u0626\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u06a9\u0644\u0627\u0624\u0688 \u0627\u0646\u0679\u0631 \u06a9\u0646\u06cc\u06a9\u0679 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0627\u06cc\u06a9 \u0645\u062a\u062d\u062f \u0646\u06cc\u0679 \u0648\u0631\u06a9 \u0628\u0646\u0627\u0626\u06cc\u06ba:<\/strong> Cloud Interconnect \u06cc\u0627 Cloud VPN \u0622\u067e \u06a9\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0688\u06cc\u0679\u0627 \u0633\u06cc\u0646\u0679\u0631 \u06a9\u0648 \u0622\u067e \u06a9\u06d2 Google \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 (GCP) \u0648\u0631\u0686\u0648\u0626\u0644 \u067e\u0631\u0627\u0626\u06cc\u0648\u06cc\u0679 \u06a9\u0644\u0627\u0624\u0688 (VPC) \u06a9\u06cc \u062a\u0648\u0633\u06cc\u0639 \u0628\u0646\u0627\u062a\u0627 \u06c1\u06d2\u06d4 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u0646\u0648\u0627\u0626\u0633\u0646\u06af \u0627\u06cc\u067e\u0633 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0631 \u0645\u0628\u0646\u06cc \u0635\u0627\u0631\u0641 \u06a9\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u06d2 \u0633\u0627\u062a\u06be \u06a9\u0645 \u062a\u0627\u062e\u06cc\u0631 \u0627\u0648\u0631 \u0639\u0648\u0627\u0645\u06cc \u0627\u0646\u0679\u0631\u0646\u06cc\u0679 \u06a9\u06cc \u0646\u0645\u0627\u0626\u0634 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0628\u0627\u062a \u0686\u06cc\u062a \u06a9\u0631\u0633\u06a9\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u06a9\u0644\u0627\u0624\u0688 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0644\u0627\u06af\u062a \u0633\u06d2 \u0645\u0648\u062b\u0631 \u0627\u0633\u06a9\u06cc\u0644 \u0627\u06cc\u0628\u0644\u0679\u06cc:<\/strong> \u0622\u067e \u0644\u0627\u06af\u0632\u060c \u0628\u06cc\u06a9 \u0627\u067e\u0633\u060c \u0627\u0648\u0631 \u062a\u0627\u0631\u06cc\u062e\u06cc \u0688\u06cc\u0679\u0627 \u06a9\u0648 \u0630\u062e\u06cc\u0631\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u067e\u0646\u06cc \u0645\u0642\u0627\u0645\u06cc \u0627\u06cc\u067e\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0644\u0627\u0624\u0688 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c \u06a9\u0648 \u0628\u06cc\u06a9 \u0627\u06cc\u0646\u0688 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0635\u0631\u0641 \u0627\u0633 \u0686\u06cc\u0632 \u06a9\u06cc \u0627\u062f\u0627\u0626\u06cc\u06af\u06cc \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u0648 \u0622\u067e \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u067e\u0628\/\u0633\u0628 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0627\u06cc\u0648\u0646\u0679 \u067e\u0631 \u0645\u0628\u0646\u06cc \u06c1\u0645 \u0622\u06c1\u0646\u06af\u06cc:<\/strong> \u0627\u06af\u0631 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0645\u06cc\u06ba \u06a9\u0648\u0626\u06cc \u0645\u0633\u0626\u0644\u06c1 \u067e\u06cc\u0634 \u0622\u062a\u0627 \u06c1\u06d2\u060c \u062a\u0648 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0628\/\u0633\u0628 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u067e\u06cc\u063a\u0627\u0645\u0627\u062a \u06a9\u0644\u0627\u0624\u0688 \u0633\u0631\u0648\u0633 \u06a9\u0648 \u0641\u0648\u0631\u06cc \u0637\u0648\u0631 \u067e\u0631 \u062c\u0648\u0627\u0628 \u062f\u06cc\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062f\u0633\u062a\u06cc \u067e\u0648\u0644\u0646\u06af \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06a9\u0648 \u062e\u062a\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2\u06d4<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"heading-the-economics-of-hybrid-gpus-changed-everything\">\u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u06cc \u0627\u0642\u062a\u0635\u0627\u062f\u06cc\u0627\u062a: GPUs \u0646\u06d2 \u0633\u0628 \u06a9\u0686\u06be \u0628\u062f\u0644 \u062f\u06cc\u0627\u06d4<\/h2>\n<p>\u0627\u0633 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06a9\u06c1 \u06c1\u0645 \u062a\u06a9\u0646\u06cc\u06a9\u06cc \u0645\u0633\u0627\u0626\u0644 \u067e\u0631 \u063a\u0648\u0631 \u06a9\u0631\u06cc\u06ba\u060c \u06cc\u06c1 \u0633\u0645\u062c\u06be\u0646\u0627 \u0645\u062f\u062f\u06af\u0627\u0631 \u06c1\u06d2 \u06a9\u06c1 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u06c1\u0644\u06d2 \u0633\u06d2 \u06a9\u06c1\u06cc\u06ba \u0632\u06cc\u0627\u062f\u06c1 \u06a9\u06cc\u0648\u06ba \u0627\u06c1\u0645 \u06c1\u06d2\u06d4<\/p>\n<p>\u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u06a9\u0627\u0631\u0648\u0628\u0627\u0631\u0648\u06ba \u06a9\u06cc \u0637\u0631\u062d\u060c \u0622\u067e \u06a9\u06cc \u062a\u0646\u0638\u06cc\u0645 \u0646\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0688\u06cc\u0679\u0627 \u0633\u06cc\u0646\u0679\u0631 \u0645\u06cc\u06ba \u0627\u06c1\u0645 \u0633\u0631\u0645\u0627\u06cc\u06c1 \u06a9\u0627\u0631\u06cc \u06a9\u06cc \u06c1\u06d2\u06d4 \u0645\u06cc\u06ba \u0646\u06d2 \u0627\u06cc\u06a9 \u0633\u0631\u0648\u0631 \u062e\u0631\u06cc\u062f\u0627\u06d4 \u0631\u06cc\u06a9 \u0628\u06be\u0631\u0627 \u06c1\u0648\u0627 \u06c1\u06d2\u06d4 \u0646\u06cc\u0679 \u0648\u0631\u06a9 \u06a9\u06d2 \u0628\u0646\u06cc\u0627\u062f\u06cc \u0688\u06be\u0627\u0646\u0686\u06d2 \u06a9\u06cc \u0627\u062f\u0627\u0626\u06cc\u06af\u06cc \u06a9\u06cc \u062c\u0627\u062a\u06cc \u06c1\u06d2\u06d4 \u0627\u06cc\u06a9 \u0627\u0648\u0631 \u06a9\u0627\u0645 \u06a9\u0627 \u0628\u0648\u062c\u06be \u0686\u0644\u0627\u0646\u06d2 \u06a9\u06cc \u0645\u0639\u0645\u0648\u0644\u06cc \u0644\u0627\u06af\u062a \u0628\u0646\u06cc\u0627\u062f\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0635\u0641\u0631 \u06c1\u06d2\u06d4<\/p>\n<p>\u067e\u06be\u0631 AI \u0644\u06c1\u0631 \u0622\u0626\u06cc\u06d4<\/p>\n<p>\u0627\u0686\u0627\u0646\u06a9\u060c \u06c1\u0631 \u0679\u06cc\u0645 \u06a9\u0648 \u06af\u0631\u0627\u0641\u06a9\u0633 \u067e\u0631\u0648\u0633\u06cc\u0633\u0646\u06af \u06cc\u0648\u0646\u0679 (GPU) \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u062a\u06be\u06cc\u06d4 \u0635\u0631\u0641 \u0627\u06cc\u06a9 \u06cc\u0627 \u062f\u0648 \u0646\u06c1\u06cc\u06ba \u0628\u0644\u06a9\u06c1 \u062f\u0631\u062c\u0646\u0648\u06ba A100s \u062a\u0631\u0628\u06cc\u062a \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0627\u0646\u0641\u0631\u0646\u0633 \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679\u0633 \u06a9\u0627 \u0627\u06cc\u06a9 \u0633\u06cc\u0679\u060c \u0627\u0648\u0631 \u0627\u06cc\u06a9 \u0648\u06cc\u06a9\u0679\u0631 \u0688\u06cc\u0679\u0627 \u0628\u06cc\u0633 \u062c\u0633 \u06a9\u0627 \u0645\u0627\u0688\u0644 \u06a9\u06d2 \u0642\u0631\u06cc\u0628 \u06c1\u0648\u0646\u0627 \u0636\u0631\u0648\u0631\u06cc \u06c1\u06d2\u06d4 GPU \u0646\u0627\u06a9\u0627\u0641\u06cc \u06c1\u06d2\u06d4 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 GPU \u06c1\u0627\u0631\u0688\u0648\u06cc\u0626\u0631 \u06a9\u06d2 \u0644\u06cc\u0688 \u0679\u0627\u0626\u0645 \u0645\u06c1\u06cc\u0646\u0648\u06ba \u062a\u06a9 \u0628\u0691\u06be \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0622\u067e \u06a9\u0627 \u06a9\u0644\u0627\u0624\u0688 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u0627\u0633\u06d2 \u0645\u0646\u0679\u0648\u06ba \u0645\u06cc\u06ba \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u0627 \u0634\u0631\u0648\u0639 \u06a9\u0631 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u06cc\u06a9 \u0641\u0646 \u062a\u0639\u0645\u06cc\u0631 \u062c\u0648 \u062d\u0642\u06cc\u0642\u062a \u0645\u06cc\u06ba \u0645\u0639\u0627\u0634\u06cc \u0645\u0639\u0646\u06cc \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2 \u06cc\u06c1 \u06c1\u0648\u06af\u0627:<\/p>\n<ul>\n<li>\n<p><strong>\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0688\u06cc\u0679\u0627 \u0633\u06cc\u0646\u0679\u0631\u0632 \u06a9\u0645\u067e\u06cc\u0648\u0679\u0646\u06af \u06a9\u06cc \u0632\u06cc\u0627\u062f\u06c1 \u0645\u0642\u062f\u0627\u0631 \u06a9\u0648 \u0633\u0646\u0628\u06be\u0627\u0644\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/strong> &#8211; \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631\u0632\u060c \u06a9\u0627\u0631\u0648\u0628\u0627\u0631\u06cc \u0645\u0646\u0637\u0642\u060c \u0688\u06cc\u0679\u0627 \u0628\u06cc\u0633\u060c \u0628\u06cc\u0686 \u067e\u0631\u0648\u0633\u06cc\u0633\u0646\u06af\u06d4 \u06cc\u06c1 \u06a9\u0645\u0648\u0688\u0679\u06cc \u06a9\u0645\u067e\u06cc\u0648\u0679\u0646\u06af \u06c1\u06d2 \u062c\u0648 \u067e\u06c1\u0644\u06d2 \u06c1\u06cc \u0627\u067e\u0646\u06d2 \u0644\u06cc\u06d2 \u0627\u062f\u0627\u0626\u06cc\u06af\u06cc \u06a9\u0631 \u0686\u06a9\u06cc \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u0628\u0627\u062f\u0644 \u0627\u0633 \u0628\u0627\u062a \u06a9\u0627 \u062e\u06cc\u0627\u0644 \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2 \u06a9\u06c1 \u06a9\u06cc\u0627 \u06a9\u0645\u06cc \u06c1\u06d2\u06d4<\/strong> \u2014 GPU- \u0627\u06cc\u06a9\u0633\u0644\u0631\u06cc\u0679\u0688 \u0627\u0646\u0641\u0631\u0646\u0633\u060c \u0645\u0627\u0688\u0644 \u0679\u0631\u06cc\u0646\u0646\u06af\u060c \u0627\u0648\u0631 AI\/ML \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679\u0633\u06d4 \u0641\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u0627\u062f\u0627\u0626\u06cc\u06af\u06cc \u06a9\u0631\u06cc\u06ba\u060c \u0636\u0631\u0648\u0631\u062a \u06a9\u06d2 \u0645\u0637\u0627\u0628\u0642 \u067e\u06cc\u0645\u0627\u0646\u06c1 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u06c1\u0627\u0631\u0688 \u0648\u06cc\u0626\u0631 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0628\u06be\u06cc \u0628\u06be\u06cc \u0686\u06be \u0645\u0627\u06c1 \u06a9\u0627 \u0627\u0646\u062a\u0638\u0627\u0631 \u0646\u06c1 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<\/ul>\n<p>\u0628\u0627\u062f\u0644 \u0645\u06a9\u0645\u0644 \u0645\u0646\u062a\u0642\u0644\u06cc \u06a9\u0627 \u06c1\u062f\u0641 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0641\u0639\u0627\u0644\u06cc\u062a \u06a9\u06cc \u0627\u06cc\u06a9 \u062a\u0648\u0633\u06cc\u0639 \u06c1\u06d2 \u062c\u0633\u06d2 \u0622\u0633\u0627\u0646\u06cc \u0633\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0646\u06c1\u06cc\u06ba \u0628\u0646\u0627\u06cc\u0627 \u062c\u0627 \u0633\u06a9\u062a\u0627\u06d4<\/p>\n<p>\u062a\u0627\u06c1\u0645\u060c \u06cc\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u0648 \u06a9\u0644\u0627\u0624\u0688 \u0633\u0631\u0648\u0633\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u0633\u062a\u0646\u062f \u06c1\u0648\u0646\u0627 \u0686\u0627\u06c1\u06cc\u06d2\u06d4 \u0622\u067e \u06a9\u06d2 \u0688\u06cc\u0679\u0627 \u0633\u06cc\u0646\u0679\u0631 \u0633\u06d2 Vertex AI \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679 \u067e\u0631 \u06c1\u0631 API \u06a9\u0627\u0644\u060c GPU \u067e\u0631 \u0645\u0628\u0646\u06cc \u0627\u0646\u0641\u0631\u0646\u0633 \u0633\u0631\u0648\u0633 \u06a9\u0648 \u06c1\u0631 \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u060c \u0627\u0648\u0631 \u0645\u0627\u0688\u0644 \u0622\u0631\u0679\u0641\u06cc\u06a9\u0679\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0644\u0627\u0624\u0688 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c \u06a9\u0648 \u0644\u06a9\u06be\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06c1\u0631 \u0627\u06cc\u06a9 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u0646\u0627\u062f \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0648\u06c1 \u0645\u0633\u0626\u0644\u06c1 \u06c1\u06d2 \u062c\u0633 \u06a9\u0648 \u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba \u062d\u0644 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-why-service-account-keys-fail-at-scale\">\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u0686\u0627\u0628\u06cc\u0627\u06ba \u067e\u06cc\u0645\u0627\u0646\u06d2 \u067e\u0631 \u06a9\u06cc\u0648\u06ba \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648\u062a\u06cc \u06c1\u06cc\u06ba\u061f<\/h2>\n<p>\u06cc\u06c1\u0627\u06ba \u0627\u06cc\u06a9 \u0627\u06cc\u0633\u0627 \u0645\u0646\u0638\u0631 \u06c1\u06d2 \u062c\u0648 \u06c1\u0631 \u0631\u0648\u0632 \u06c1\u0632\u0627\u0631\u0648\u06ba \u06a9\u0627\u0631\u0648\u0628\u0627\u0631\u0648\u06ba \u06a9\u06d2 \u0633\u0627\u062a\u06be \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0622\u067e \u06a9\u06cc \u0688\u06cc\u0648\u0644\u067e\u0645\u0646\u0679 \u0679\u06cc\u0645 \u06a9\u0648 Google Cloud Storage \u067e\u0631 \u0644\u06a9\u06be\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u06cc\u067e\u0644\u06cc \u06a9\u06cc\u0634\u0646 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4 &quot;\u0648\u0627\u0636\u062d&#8221; \u062d\u0644 \u06a9\u06cc\u0627 \u06c1\u06d2\u061f \u0627\u06cc\u06a9 GCP \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u06a9\u0644\u06cc\u062f \u0628\u0646\u0627\u0626\u06cc\u06ba\u060c \u0627\u0633\u06d2 \u0628\u06cc\u0633 64 \u0627\u0646\u06a9\u0648\u0688 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0633\u06d2 Kubernetes \u0633\u06cc\u06a9\u0631\u0679 \u0645\u06cc\u06ba \u0627\u0633\u0679\u0648\u0631 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0627\u0633\u06d2 \u067e\u0648\u0688 \u067e\u0631 \u0644\u06af\u0627\u0626\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: gcp-credentials\ntype: Opaque\ndata:\n  key.json: eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6\u2026\n<\/code><\/pre>\n<p>\u06cc\u06c1 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u0633\u06d2 \u0633\u0646\u06af\u06cc\u0646 \u0645\u0633\u0627\u0626\u0644 \u0628\u06be\u06cc \u067e\u06cc\u062f\u0627 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<ul>\n<li>\n<p><strong>\u06cc\u06c1 \u06a9\u0628\u06be\u06cc \u062e\u062a\u0645 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u062a\u0627\u06d4<\/strong> \u0648\u06c1 \u06a9\u0644\u06cc\u062f \u0627\u0633 \u0648\u0642\u062a \u062a\u06a9 \u0627\u0686\u06be\u06cc \u06c1\u06d2 \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u06a9\u0648\u0626\u06cc \u0627\u0633\u06d2 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631\u0646\u0627 \u06cc\u0627\u062f \u0646\u06c1 \u0631\u06a9\u06be\u06d2 (\u062c\u0648 \u0648\u06c1 \u0646\u06c1\u06cc\u06ba \u06a9\u0631\u062a\u06d2) \u06cc\u0627 \u062c\u0628 \u062a\u06a9 \u06cc\u06c1 \u062e\u0631\u0627\u0628 \u0646\u06c1 \u06c1\u0648 \u062c\u0627\u0626\u06d2 (\u062c\u0648 \u0648\u06c1 \u06a9\u0631\u06cc\u06ba \u06af\u06d2)\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u06cc\u06c1 \u0622\u0633\u0627\u0646\u06cc \u0633\u06d2 \u0644\u06cc\u06a9 \u06c1\u0648 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4<\/strong> \u0627\u0633 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u062a\u06a9 \u067e\u0691\u06be\u0646\u06d2 \u06a9\u06cc \u0631\u0633\u0627\u0626\u06cc \u0631\u06a9\u06be\u0646\u06d2 \u0648\u0627\u0644\u0627 \u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc \u0627\u0633\u06d2 \u0686\u0644\u0627 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 <code>kubectl get secret -o yaml<\/code> \u0645\u0633\u062a\u0642\u0644 GCP \u0631\u0633\u0627\u0626\u06cc \u062f\u0633\u062a\u06cc\u0627\u0628 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u0627\u0635\u0644 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0648\u0626\u06cc \u0622\u0688\u0679 \u0679\u0631\u06cc\u0644 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4<\/strong> GCP \u062f\u06cc\u06a9\u06be\u062a\u0627 \u06c1\u06d2 \u06a9\u06c1 &quot;\u0627\u0633 \u0628\u0627\u0644\u0679\u06cc \u062a\u06a9 \u0633\u0631\u0648\u0633-\u0627\u06a9\u0627\u0624\u0646\u0679-xyz \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0631\u0633\u0627\u0626\u06cc \u062d\u0627\u0635\u0644 \u06a9\u06cc \u06af\u0626\u06cc \u062a\u06be\u06cc&#8221; \u06a9\u06d2 \u0628\u062c\u0627\u0626\u06d2 &quot;\u067e\u0648\u0688 \u0641\u0631\u0646\u0679 \u0627\u06cc\u0646\u0688-abc-123 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u067e\u0631\u0648\u0688\u06a9\u0634\u0646&#8221;\u06d4<\/p>\n<\/li>\n<li>\n<p><strong>\u06cc\u06c1 \u0628\u06c1\u062a \u0632\u06cc\u0627\u062f\u06c1 \u067e\u06be\u06cc\u0644\u062a\u0627 \u06c1\u06d2\u06d4<\/strong> 50 \u0679\u06cc\u0645\u06cc\u06ba \u00d7 3 \u0645\u0627\u062d\u0648\u0644 \u00d7 4 GCP \u067e\u0631\u0648\u062c\u06cc\u06a9\u0679\u0633 = 600 \u0686\u0627\u0628\u06cc\u0627\u06ba \u0679\u0631\u06cc\u06a9 \u06a9\u0631\u0646\u06d2 \u0627\u0648\u0631 \u06af\u06be\u0648\u0645\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0627\u0645\u06cc\u062f \u06c1\u06d2 \u06a9\u06c1 \u06a9\u0628\u06be\u06cc \u0628\u06be\u06cc \u06af\u0679 \u06a9\u06d2 \u0644\u06cc\u06d2 \u067e\u0627\u0628\u0646\u062f \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u06ba \u06af\u06d2\u06d4<\/p>\n<\/li>\n<\/ul>\n<p>\u0633\u06cc\u06a9\u0648\u0631\u0679\u06cc \u0679\u06cc\u0645\u06cc\u06ba \u06cc\u06c1 \u062c\u0627\u0646\u062a\u06cc \u06c1\u06cc\u06ba\u06d4 \u06cc\u06c1\u06cc \u0648\u062c\u06c1 \u06c1\u06d2 \u06a9\u06c1 \u0628\u06c1\u062a \u0633\u06cc \u062a\u0646\u0638\u06cc\u0645\u0648\u06ba \u0646\u06d2 \u06a9\u0627\u0631\u0631\u0648\u0627\u0626\u06cc \u06a9\u0627 \u0648\u0627\u062d\u062f \u0645\u0639\u0642\u0648\u0644 \u0637\u0631\u06cc\u0642\u06c1 \u0627\u062e\u062a\u06cc\u0627\u0631 \u06a9\u06cc\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u0644\u06cc\u062f\u06cc \u062c\u0646\u0631\u06cc\u0634\u0646 \u06a9\u0648 \u0645\u06a9\u0645\u0644 \u0637\u0648\u0631 \u067e\u0631 \u063a\u06cc\u0631 \u0641\u0639\u0627\u0644 \u06a9\u0631 \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-the-accidental-air-gap-happens\">\u062d\u0627\u062f\u062b\u0627\u062a\u06cc \u0641\u0636\u0627\u0626\u06cc \u062e\u0644\u0627 \u06a9\u06cc\u0633\u06d2 \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4<\/h2>\n<p>\u06a9\u0644\u06cc\u062f\u06cc \u0646\u0633\u0644 \u06a9\u0648 \u063a\u06cc\u0631 \u0641\u0639\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u0622\u067e \u06a9\u06d2 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u0627 \u0645\u0633\u0626\u0644\u06c1 \u062d\u0644 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0635\u0631\u0641 \u06a9\u0633\u06cc \u0627\u0648\u0631 \u06a9\u0627 \u0645\u0633\u0626\u0644\u06c1 \u0628\u0646 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4 \u06a9\u06c1 \u06a9\u0648\u0626\u06cc \u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0679\u06cc\u0645 \u06c1\u06d2 \u062c\u0648 \u062c\u06cc\u0631\u0627 \u06a9\u06d2 \u0679\u06a9\u0679 \u06a9\u0648 \u06af\u06be\u0648\u0631 \u0631\u06c1\u06cc \u06c1\u06d2 \u062c\u0648 \u06a9\u06c1\u062a\u06cc \u06c1\u06d2 &quot;\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633\u060c P1\u060c \u0628\u0644\u0627\u06a9\u0646\u06af \u0631\u06cc\u0644\u06cc\u0632 \u0633\u06d2 GCP \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4&#8221;<\/p>\n<p>\u0646\u062a\u0627\u0626\u062c \u06a9\u06cc\u0627 \u06c1\u06cc\u06ba\u061f \u0622\u067e \u06a9\u0627 &quot;\u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645&#8221; \u0628\u0627\u0644\u06a9\u0644 \u0628\u06be\u06cc \u06c1\u0627\u0626\u0628\u0631\u0688 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06cc\u06c1 \u062f\u0648 \u0645\u0646\u0642\u0637\u0639 \u0646\u0638\u0627\u0645 \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u0679\u06cc\u0645\u06cc\u06ba \u062b\u0627\u0644\u062b\u06cc \u062e\u062f\u0645\u0627\u062a\u060c API \u06af\u06cc\u0679 \u0648\u06cc\u0632 \u062c\u0648 \u067e\u0631\u0627\u06a9\u0633\u06cc \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba\u060c \u06cc\u0627 \u067e\u06be\u0631 \u0628\u06be\u06cc \u0686\u0627\u0628\u06cc\u0627\u06ba \u062d\u0627\u0635\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u062a\u062e\u0644\u06cc\u0642\u06cc \u0637\u0631\u06cc\u0642\u06d2 \u062a\u0644\u0627\u0634 \u06a9\u0631\u0646\u06d2 \u06a9\u0627 \u0633\u06c1\u0627\u0631\u0627 \u0644\u06cc\u062a\u06cc \u06c1\u06cc\u06ba\u06d4 \u0627\u0646 \u0645\u06cc\u06ba \u0633\u06d2 \u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0688\u06a9\u0679 \u0679\u06cc\u067e \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-workload-identity-federation-bridges-the-gap\">\u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u062e\u0644\u0627 \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u067e\u064f\u0631 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4<\/h2>\n<p>\u06c1\u0631 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u067e\u06c1\u0644\u06d2 \u0633\u06d2 \u06c1\u06cc \u06c1\u0631 Pod \u067e\u0631 \u062e\u0641\u06cc\u06c1 \u0637\u0648\u0631 \u067e\u0631 \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 ID \u0679\u0648\u06a9\u0646 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0648\u0631 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u06a9\u06d2 \u067e\u0627\u0633 \u0627\u06cc\u0633\u06cc \u062e\u062f\u0645\u0627\u062a \u06c1\u06cc\u06ba \u062c\u0648 \u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0646 \u0679\u0648\u06a9\u0646\u0632 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0628\u0646\u0627\u0626\u06cc \u06af\u0626\u06cc \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u06cc\u06c1 \u06c1\u06d2 <strong>\u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc \u0627\u0644\u0627\u0626\u0646\u0633<\/strong> \u2014 OpenID Connect (OIDC) \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0645\u0644 \u06a9\u0631\u060c \u06cc\u06c1 \u0648\u06c1 \u06af\u0645\u0634\u062f\u06c1 \u0679\u06a9\u0691\u0627 \u06c1\u06d2 \u062c\u0648 \u06c1\u0627\u0626\u0628\u0631\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u0648 \u0648\u0627\u0642\u0639\u06cc \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0633 \u0633\u0631\u0648\u0633 \u06a9\u0627 \u0646\u0627\u0645 \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u06a9\u06d2 \u0644\u0641\u0638 \u06a9\u06cc \u0648\u062c\u06c1 \u0633\u06d2 \u0631\u06a9\u06be\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u06a9\u0627 \u0645\u0637\u0644\u0628 \u06c1\u06d2 \u06a9\u06c1 GCP \u0622\u067e \u06a9\u06cc \u0634\u0646\u0627\u062e\u062a \u06a9\u0648 \u0645\u062d\u0641\u0648\u0638 \u0646\u06c1\u06cc\u06ba \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u06a9\u0627 \u0645\u0637\u0644\u0628 \u06cc\u06c1 \u06c1\u06d2 \u06a9\u06c1 \u0622\u067e \u06a9\u0633\u06cc \u062f\u0648\u0633\u0631\u06d2 \u0633\u0633\u0679\u0645 \u06a9\u06cc \u0637\u0631\u0641 \u0633\u06d2 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 \u0634\u0646\u0627\u062e\u062a \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u0633\u06d2 \u0627\u062a\u0641\u0627\u0642 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u0627\u0633 \u06a9\u06cc \u062e\u0641\u06cc\u06c1 \u0637\u0648\u0631 \u067e\u0631 \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06cc \u062c\u0627 \u0633\u06a9\u06d2\u06d4 \u06cc\u06c1 \u0633\u0628 \u062f\u0631\u062c \u0630\u06cc\u0644 \u062a\u0631\u062a\u06cc\u0628 \u0645\u06cc\u06ba \u0627\u0646\u062a\u06c1\u0627\u0626\u06cc \u0645\u0631\u0628\u0648\u0637 \u0645\u0631\u0627\u062d\u0644 \u0645\u06cc\u06ba \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2:<\/p>\n<ol>\n<li>\n<p>Pods \u062c\u06cc \u0633\u06cc \u067e\u06cc \u0645\u06cc\u06ba \u0627\u06cc\u0633 \u0679\u06cc \u0627\u06cc\u0633 \u06a9\u06d2 \u0627\u062e\u062a\u062a\u0627\u0645\u06cc \u0646\u0642\u0637\u06c1 \u067e\u0631 Kubernetes \u06a9\u06cc \u0637\u0631\u0641 \u0633\u06d2 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 JWT \u06a9\u06cc \u062e\u062f\u0645\u062a \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>STS \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u0639\u0648\u0627\u0645\u06cc JWKS \u06a9\u06d2 \u062e\u0644\u0627\u0641 \u062f\u0633\u062a\u062e\u0637 \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>STS \u06a9\u0627\u0645 \u0628\u0648\u062c\u06be \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 (\u0679\u0627\u0631\u06af\u0679\u060c \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1\u060c CEL \u0634\u0631\u0627\u0626\u0637) \u06a9\u06d2 \u0642\u0648\u0627\u0639\u062f \u06a9\u06d2 \u062e\u0644\u0627\u0641 JWT \u06a9\u06d2 \u062f\u0639\u0648\u0648\u06ba \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>STS \u0627\u06cc\u06a9 \u0642\u0644\u06cc\u0644 \u0627\u0644\u0645\u062f\u062a \u06af\u0648\u06af\u0644 \u0627\u06cc\u06a9\u0633\u06cc\u0633 \u0679\u0648\u06a9\u0646 (\u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 1 \u06af\u06be\u0646\u0679\u06c1) \u0644\u0648\u0679\u0627\u062a\u0627 \u06c1\u06d2 \u062c\u0633\u06d2 \u067e\u0648\u0688 API \u06a9\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<\/ol>\n<p>\u06cc\u06c1 \u0628\u0627\u062a \u0628\u06be\u06cc \u0642\u0627\u0628\u0644 \u0630\u06a9\u0631 \u06c1\u06d2 \u06a9\u06c1 Workload Identity Federation \u0635\u0631\u0641 Kubernetes \u062a\u06a9 \u0645\u062d\u062f\u0648\u062f \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 AWS IAM\u060c Azure AD\u060c GitHub Actions OIDC\u060c \u0627\u0648\u0631 \u06a9\u0633\u06cc \u0628\u06be\u06cc OIDC \u0633\u06d2 \u0645\u0637\u0627\u0628\u0642\u062a \u0631\u06a9\u06be\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u0634\u0646\u0627\u062e\u062a \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-kubernetes-identity-works\">Kubernetes ID \u06a9\u06cc\u0633\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4<\/h2>\n<p>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u0648\u0627\u0644\u06d2 \u062a\u0645\u0627\u0645 \u067e\u0648\u0688\u0632 \u062e\u0648\u062f \u0628\u062e\u0648\u062f JSON \u0648\u06cc\u0628 \u0679\u0648\u06a9\u0646 (JWT) \u06a9\u0648 \u0645\u0627\u0624\u0646\u0679 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 <code>\/run\/secrets\/kubernetes.io\/serviceaccount\/token<\/code>. \u06cc\u06c1 \u0635\u0631\u0641 \u0627\u06cc\u06a9 \u0645\u0628\u06c1\u0645 \u062f\u0627\u063a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u060c \u06cc\u06c1 \u0627\u06cc\u06a9 \u062f\u0633\u062a\u062e\u0637 \u0634\u062f\u06c1 \u0634\u0646\u0627\u062e\u062a \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-json\">{\n  \"iss\": \"https:\/\/kubernetes.default.svc.cluster.local\",\n  \"sub\": \"system:serviceaccount:production:backend-api\",\n  \"aud\": [\"https:\/\/iam.googleapis.com\/...\"],\n  \"kubernetes.io\": {\n    \"namespace\": \"production\",\n    \"serviceaccount\": {\n      \"name\": \"backend-api\"\n    }\n  },\n  \"exp\": 1735689600\n}\n<\/code><\/pre>\n<p>JWT \u0645\u06cc\u06ba\u060c \u062f\u0639\u0648\u06d2 \u0679\u0648\u06a9\u0646 \u067e\u06d2 \u0644\u0648\u0688 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0635\u0631\u0641 \u06a9\u0644\u06cc\u062f\u06cc \u0642\u062f\u0631 \u06a9\u06d2 \u062c\u0648\u0691\u06d2 \u06c1\u06cc\u06ba\u06d4 \u06c1\u0631 \u062f\u0639\u0648\u06cc\u0670 \u0627\u06cc\u06a9 \u062f\u0639\u0648\u06cc\u0670 \u06c1\u06d2 \u062c\u0648 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0633\u06cc \u0645\u0648\u0636\u0648\u0639 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u06a9\u0648 \u0627\u06cc\u06a9 \u062d\u0642\u06cc\u0642\u062a \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0633\u0648\u0686\u06cc\u06ba \u06a9\u06c1 \u0679\u0648\u06a9\u0646 \u06a9\u0627 \u062f\u0639\u0648\u06cc\u0670 \u06c1\u06d2 \u0627\u0648\u0631 \u0627\u0633 \u067e\u0631 \u062e\u0641\u06cc\u06c1 \u0637\u0648\u0631 \u067e\u0631 \u062f\u0633\u062a\u062e\u0637 \u06a9\u06cc\u06d2 \u06af\u0626\u06d2 \u06c1\u06cc\u06ba \u062a\u0627\u06a9\u06c1 \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0646\u0646\u062f\u06c1 \u0627\u0633 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631 \u0633\u06a9\u06d2\u06d4<\/p>\n<p>\u06a9\u0644\u06cc\u062f\u06cc \u0628\u0635\u06cc\u0631\u062a: \u06cc\u06c1 \u0679\u0648\u06a9\u0646 JSON Web Key Set (JWKS) \u0633\u06cc\u0679 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u062a\u06cc\u0627\u0631 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2 \u0627\u0648\u0631 JSON Web Key Set (JWKS) \u06a9\u06d2 \u0627\u062e\u062a\u062a\u0627\u0645\u06cc \u0646\u0642\u0637\u06c1 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0638\u0627\u06c1\u0631 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06cc \u0639\u0648\u0627\u0645\u06cc \u06a9\u0644\u06cc\u062f \u06a9\u06d2 \u0633\u0627\u062a\u06be \u06a9\u0633\u06cc \u0628\u06be\u06cc \u0634\u062e\u0635 \u0633\u06d2 \u0627\u0633 \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06cc \u062c\u0627 \u0633\u06a9\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get --raw \/openid\/v1\/jwks\n<\/code><\/pre>\n<p>\u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u06a9\u06cc \u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u0679\u0648\u06a9\u0646 \u0633\u0631\u0648\u0633 (STS) \u0627\u0646 \u0679\u0648\u06a9\u0646\u0632 \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631 \u0633\u06a9\u062a\u06cc \u06c1\u06d2\u06d4 \u0686\u0627\u0628\u06cc\u0627\u06ba \u06a9\u0627 \u062a\u0628\u0627\u062f\u0644\u06c1 \u0646\u06c1\u06cc\u06ba \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u06d4 \u0631\u0627\u0632 \u0645\u062d\u0641\u0648\u0638 \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4 \u06cc\u06c1 \u0635\u0631\u0641 \u0634\u0646\u0627\u062e\u062a \u06a9\u0627 \u0627\u06cc\u06a9 \u062e\u0641\u06cc\u06c1 \u06a9\u0631\u062f\u06c1 \u062b\u0628\u0648\u062a \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-to-prepare-google-cloud-platform-resources\">\u0627\u067e\u0646\u06d2 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u06d2 \u0648\u0633\u0627\u0626\u0644 \u06a9\u06cc\u0633\u06d2 \u062a\u06cc\u0627\u0631 \u06a9\u0631\u06cc\u06ba\u06d4<\/h2>\n<p>\u06a9\u0627\u0645 \u06a9\u0627 \u0628\u0648\u062c\u06be \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u0627\u06cc\u06a9 \u0627\u0639\u062a\u0645\u0627\u062f \u06a9\u06cc \u062d\u062f \u06c1\u06d2\u060c \u06cc\u06c1 \u0627\u06cc\u06a9 \u0627\u0639\u0644\u0627\u0646 \u06c1\u06d2 \u06a9\u06c1 &quot;\u06c1\u0645 \u0628\u06cc\u0631\u0648\u0646\u06cc \u0630\u0631\u0627\u0626\u0639 \u0633\u06d2 \u0634\u0646\u0627\u062e\u062a \u0642\u0628\u0648\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4&#8221; OIDC \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u06a9\u06c1 \u0627\u0633 \u0634\u0646\u0627\u062e\u062a \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06cc\u0633\u06d2 \u06a9\u06cc \u062c\u0627\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-hcl\">resource \"google_iam_workload_identity_pool\" \"pool\" {\n  workload_identity_pool_id = \"hybrid-platform-pool\"\n  project                   = \"my-project\"\n}\n\nresource \"google_iam_workload_identity_pool_provider\" \"k8s_provider\" {\n  project                            = \"my-project\"\n  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id\n  workload_identity_pool_provider_id = \"on-prem-cluster\"\n\n  attribute_mapping = {\n    \"google.subject\"      = \"assertion.sub\"\n    \"attribute.namespace\" = \"assertion['kubernetes.io']['namespace']\"\n  }\n\n  attribute_condition = \"attribute.namespace in [\\\"production\\\", \\\"staging\\\"]\"\n\n  oidc {\n    issuer_uri = \"https:\/\/kubernetes.default.svc.cluster.local\"\n    jwks_json  = file(\"jwks.json\")  # Your cluster's public keys\n  }\n}\n<\/code><\/pre>\n<p>\u06cc\u06c1\u0627\u06ba \u062f\u0648 \u0628\u0627\u062a\u06cc\u06ba \u0642\u0627\u0628\u0644 \u063a\u0648\u0631 \u06c1\u06cc\u06ba:<\/p>\n<ol>\n<li>\n<p><code>attribute_mapping<\/code>    Kubernetes JWT \u0633\u06d2 \u062f\u0639\u0648\u06d2 \u0646\u06a9\u0627\u0644\u062a\u0627 \u06c1\u06d2 \u0627\u0648\u0631 \u0627\u0646\u06c1\u06cc\u06ba GCP \u067e\u0631\u0627\u067e\u0631\u0679\u06cc\u0632 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u062f\u0633\u062a\u06cc\u0627\u0628 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 ` \u062f\u0639\u0648\u06d2 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2[&#8216;kubernetes.io&#8217;][&#8216;namespace&#8217;]`\u060c \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u06cc\u06ba \u0631\u0633\u0627\u0626\u06cc \u06a9\u0646\u0679\u0631\u0648\u0644 \u0645\u06cc\u06ba \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0646\u06a9\u0627\u0644\u06cc \u062c\u0627\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p><code>attribute_condition<\/code>    \u06cc\u06c1 \u0648\u06c1 \u062c\u06af\u06c1 \u06c1\u06d2 \u062c\u06c1\u0627\u06ba \u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u067e\u0627\u0644\u06cc\u0633\u06cc \u0632\u0646\u062f\u06af\u06cc \u0645\u06cc\u06ba \u0622\u062a\u06cc \u06c1\u06d2\u06d4 \u0627\u0633 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u0645\u0632\u06cc\u062f \u062a\u0641\u0635\u06cc\u0644\u0627\u062a \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06af\u0644\u0627 \u062d\u0635\u06c1 \u062f\u06cc\u06a9\u06be\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<\/ol>\n<h2 id=\"heading-how-to-use-cel-for-fine-grained-access-control\">\u0639\u0645\u062f\u06c1 \u0631\u0633\u0627\u0626\u06cc \u06a9\u0646\u0679\u0631\u0648\u0644 \u06a9\u06d2 \u0644\u06cc\u06d2 CEL \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u06cc\u0633\u06d2 \u06a9\u0631\u06cc\u06ba\u06d4<\/h2>\n<p>\u06a9\u06c1 <code>attribute_condition<\/code> \u0641\u06cc\u0644\u0688 \u06a9\u0627\u0645\u0646 \u0627\u06cc\u06a9\u0633\u067e\u0631\u06cc\u0634\u0646 \u0644\u06cc\u0646\u06af\u0648\u06cc\u062c (CEL) \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0648\u0627\u062d\u062f \u067e\u0627\u0644\u06cc\u0633\u06cc \u0644\u0627\u0626\u0646 \u062f\u0631\u062c\u0646\u0648\u06ba \u0634\u0646\u0627\u062e\u062a \u0627\u0648\u0631 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06d2 \u0627\u0646\u062a\u0638\u0627\u0645 (IAM) \u0628\u0627\u0626\u0646\u0688\u0646\u06af \u06a9\u0648 \u0628\u062f\u0644 \u0633\u06a9\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-plaintext\">attribute.namespace in [\"production\", \"staging\"]\n<\/code><\/pre>\n<p>\u0627\u0633 \u062d\u0627\u0644\u062a \u0645\u06cc\u06ba\u060c \u0641\u0648\u0631\u0688 <code>kube-system<\/code> \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0631 \u0628\u0627\u0644\u06a9\u0644 \u0628\u06be\u06cc \u062a\u0635\u062f\u06cc\u0642 \u0646\u06c1\u06cc\u06ba \u06a9\u0631 \u0633\u06a9\u062a\u06cc\u06d4 \u0679\u0648\u06a9\u0646 \u0627\u06cc\u06a9\u0633\u0686\u06cc\u0646\u062c \u06a9\u0648 \u0645\u0633\u062a\u0631\u062f \u06a9\u0631 \u062f\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2 \u0627\u0633 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06a9\u06c1 \u0645\u06cc\u06ba IAM \u0633\u06d2 \u0631\u0627\u0628\u0637\u06c1 \u06a9\u0631 \u0633\u06a9\u0648\u06ba\u06d4<\/p>\n<p>\u06cc\u06c1 \u0632\u06cc\u0627\u062f\u06c1 \u0648\u0633\u06cc\u0639 \u06c1\u0648 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-plaintext\">\/\/ Only production namespace, and only specific service accounts\nattribute.namespace == \"production\" &&\n  attribute.service_account in [\"payment-processor\", \"order-service\"]\n\n\/\/ Allow staging, but only during business hours\nattribute.namespace == \"staging\" &&\n  request.time.getHours(\"America\/New_York\") >= 9 &&\n  request.time.getHours(\"America\/New_York\") < 17\n<\/code><\/pre>\n<p>\u06cc\u06c1 \u06af\u06c1\u0631\u0627\u0626\u06cc \u0645\u06cc\u06ba \u062f\u0641\u0627\u0639 \u06c1\u06d2. \u06a9\u0648\u0626\u06cc \u0627\u06cc\u06a9 \u0628\u062f\u0645\u0639\u0627\u0634 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u0628\u0646\u0627\u062a\u0627 \u06c1\u06d2 \u06cc\u0627 <code>kubectl<\/code> GCP \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u062a\u0648\u062b\u06cc\u0642 \u0646\u06c1\u06cc\u06ba \u06a9\u06cc \u062c\u0627 \u0633\u06a9\u062a\u06cc \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u0648\u06c1 CEL \u06a9\u06d2 \u0645\u0639\u06cc\u0627\u0631 \u06a9\u0648 \u067e\u0627\u0633 \u0646\u06c1 \u06a9\u0631\u06d2\u06d4 \u0688\u06cc\u0648\u0644\u067e\u0631\u0632 \u0633\u06d2 \u0627\u0633 \u06a9\u06cc \u067e\u0627\u0644\u06cc\u0633\u06cc\u0648\u06ba \u067e\u0631 \u0639\u0645\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u062a\u0648\u0642\u0639 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0628\u062c\u0627\u0626\u06d2\u060c Google \u06a9\u06d2 \u0628\u0646\u06cc\u0627\u062f\u06cc \u0688\u06be\u0627\u0646\u0686\u06d2 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u062d\u0641\u0627\u0638\u062a\u06cc \u062d\u062f\u0648\u062f \u06a9\u0648 \u0646\u0627\u0641\u0630 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-to-inject-credentials-automatically-with-kyverno\">Kyverno \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u0627\u0633\u0646\u0627\u062f \u06a9\u06cc\u0633\u06d2 \u0644\u06af\u0627\u0626\u06cc\u06ba\u06d4<\/h2>\n<p>\u0648\u0631\u06a9\u0646\u06af \u0634\u0646\u0627\u062e\u062a\u06cc \u0627\u062a\u062d\u0627\u062f \u06a9\u0627 \u06c1\u0648\u0646\u0627 \u0635\u0631\u0641 \u0622\u062f\u06be\u06cc \u062c\u0646\u06af \u06c1\u06d2\u06d4 \u0635\u0627\u0631\u0641\u06cc\u0646 \u0627\u0648\u0631 \u0688\u0648\u06cc\u0644\u067e\u0631\u0632 \u06a9\u0648 OIDC\u060c STS\u060c \u06cc\u0627 \u0627\u0633\u0646\u0627\u062f \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u0641\u0627\u0626\u0644\u0648\u06ba \u06a9\u0648 \u0633\u0645\u062c\u06be\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0627\u0646\u06c1\u06cc\u06ba \u0627\u06cc\u067e \u06a9\u0648 \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u0646\u06d2 \u0627\u0648\u0631 \u0627\u0633\u06d2 \u06a9\u0627\u0645 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0633 \u0633\u06d2 \u067e\u06c1\u0644\u06d2 \u06a9\u06c1 \u06c1\u0645 \u0622\u0679\u0648\u0645\u06cc\u0634\u0646 \u067e\u0631 \u067e\u06c1\u0646\u0686\u06cc\u06ba\u060c \u06cc\u06c1 \u062a\u0648\u0642\u0641 \u06a9\u06d2 \u0642\u0627\u0628\u0644 \u06c1\u06d2\u06d4 <em>\u0627\u0633\u0646\u0627\u062f \u06a9\u06cc \u062a\u0631\u062a\u06cc\u0628 \u06a9\u06cc \u0641\u0627\u0626\u0644<\/em> \u062f\u0631\u0627\u0635\u0644 - \u06a9\u06cc\u0648\u0646\u06a9\u06c1 \u0646\u0627\u0645 \u062a\u06be\u0648\u0691\u0627 \u06af\u0645\u0631\u0627\u06c1 \u06a9\u0646 \u06c1\u06d2\u06d4<\/p>\n<p>\u06a9\u0631\u06cc\u0688\u06cc\u0646\u0634\u0644 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u0641\u0627\u0626\u0644\u0632 (\u062c\u0633\u06d2 \"\u0628\u06cc\u0631\u0648\u0646\u06cc \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646\" \u06cc\u0627 \"ADC \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646\" \u0628\u06be\u06cc \u06a9\u06c1\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2) \u0686\u06be\u0648\u0679\u06cc JSON \u062f\u0633\u062a\u0627\u0648\u06cc\u0632\u0627\u062a \u06c1\u06cc\u06ba \u062c\u0648 \u06af\u0648\u06af\u0644 \u06a9\u06cc \u06a9\u0644\u0627\u0626\u0646\u0679 \u0644\u0627\u0626\u0628\u0631\u06cc\u0631\u06cc\u0648\u06ba \u06a9\u0648 \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06cc\u06ba\u06d4 <strong>\u062d\u0627\u0635\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u0626\u06d2 \u06a9\u0633 \u0637\u0631\u062d<\/strong> \u0631\u0646 \u0679\u0627\u0626\u0645 \u067e\u0631 \u0627\u0633\u0646\u0627\u062f\u06d4 \u06a9\u06c1 <strong>~ \u0646\u06c1\u06cc\u06ba<\/strong> \u06cc\u06c1 \u0627\u067e\u0646\u06d2 \u0622\u067e \u0645\u06cc\u06ba \u0627\u06cc\u06a9 \u0633\u0646\u062f \u06c1\u06d2\u06d4 \u0622\u067e \u0627\u0635\u0644 \u0641\u0627\u0626\u0644 \u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba \u0628\u0639\u062f \u0645\u06cc\u06ba \u062f\u06cc\u06a9\u06be \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0627\u0633 \u0645\u06cc\u06ba \u06a9\u0648\u0626\u06cc \u0631\u0627\u0632 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0645\u06cc\u0679\u0627 \u0688\u06cc\u0679\u0627: \u067e\u0648\u0688 \u06a9\u06d2 \u0641\u0627\u0626\u0644 \u0633\u0633\u0679\u0645 \u06a9\u0627 \u0631\u0627\u0633\u062a\u06c1 \u062c\u06c1\u0627\u06ba \u06a9\u0627\u0645 \u06a9\u0627 \u0628\u0648\u062c\u06be \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u06a9\u0627 \u06c1\u062f\u0641\u060c STS \u0679\u0648\u06a9\u0646 \u0627\u06cc\u06a9\u0633\u0686\u06cc\u0646\u062c \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679\u060c \u0633\u0648\u0631\u0633 \u0679\u0648\u06a9\u0646 \u06a9\u06cc \u0642\u0633\u0645\u060c \u0627\u0648\u0631 \u0627\u0635\u0644 (\u0642\u0644\u06cc\u0644 \u0627\u0644\u0645\u062f\u062a) Kubernetes ServiceAccount \u0679\u0648\u06a9\u0646 \u0648\u0627\u0642\u0639 \u06c1\u06d2\u06d4<\/p>\n<p>\u0627\u0633 \u06a9\u0627 \u0645\u0648\u0627\u0632\u0646\u06c1 \u0627\u067e\u0646\u06cc \u0645\u0648\u062c\u0648\u062f\u06c1 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u0644\u06cc\u062f \u0633\u06d2 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<table>\n<thead>\n<tr>\n<th\/>\n<th>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u06a9\u0644\u06cc\u062f (<code>key.json<\/code>)<\/th>\n<th>\u0627\u0633\u0646\u0627\u062f \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u06ba (<code>credential-configuration.json<\/code>)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u0641\u0627\u0626\u0644 \u0645\u06cc\u06ba \u06a9\u06cc\u0627 \u06c1\u06d2\u061f<\/td>\n<td>RSA \u0646\u062c\u06cc \u06a9\u0644\u06cc\u062f \u06c1\u06d2\u06d4 <em>\u06c1\u06d2<\/em> \u0627\u0633\u0646\u0627\u062f<\/td>\n<td>\u0628\u06cc\u0631\u0648\u0646\u06cc \u0679\u0648\u06a9\u0646 \u0627\u06cc\u06a9\u0633\u0686\u06cc\u0646\u062c \u06a9\u06cc \u06c1\u062f\u0627\u06cc\u0627\u062a<\/td>\n<\/tr>\n<tr>\n<td>\u062e\u0641\u06cc\u06c1 \u0688\u06cc\u0679\u0627 \u06a9\u06cc \u0632\u0646\u062f\u06af\u06cc<\/td>\n<td>\u06c1\u0645\u06cc\u0634\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2 \u062c\u0628 \u062a\u06a9 \u062f\u0633\u062a\u06cc \u0637\u0648\u0631 \u067e\u0631 \u06af\u06be\u0645\u0627\u06cc\u0627 \u0646\u06c1 \u062c\u0627\u0626\u06d2\u06d4<\/td>\n<td>\u0645\u0627\u062e\u0630 \u0679\u0648\u06a9\u0646 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u06af\u06be\u0645\u0627\u0626\u06d2 \u062c\u0627\u062a\u06d2 \u06c1\u06cc\u06ba (~1 \u06af\u06be\u0646\u0679\u06c1 TTL)\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u06af\u0631 \u0622\u067e \u06a9\u06cc \u0641\u0627\u0626\u0644\u06cc\u06ba \u0644\u06cc\u06a9 \u06c1\u0648 \u062c\u0627\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/td>\n<td>GCP \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679\u0633 \u062a\u06a9 \u0637\u0648\u06cc\u0644 \u0645\u062f\u062a\u06cc \u0631\u0633\u0627\u0626\u06cc<\/td>\n<td>\u0628\u0630\u0627\u062a \u062e\u0648\u062f \u0628\u06cc\u06a9\u0627\u0631 \u06c1\u06d2\u06d4 \u0627\u06cc\u06a9 \u0679\u0648\u06a9\u0646 \u06a9\u06cc \u0637\u0631\u0641 \u0627\u0634\u0627\u0631\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062c\u0633\u06d2 \u0635\u0631\u0641 \u067e\u0648\u0688 \u067e\u0691\u06be \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0634\u0646\u0627\u062e\u062a \u0645\u0627\u0688\u0644<\/td>\n<td>\u0628\u0631\u0627\u06c1 \u0631\u0627\u0633\u062a GCP \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u0646\u0642\u0627\u0644\u06cc \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<td>\u0628\u06cc\u0631\u0648\u0646\u06cc \u0634\u0646\u0627\u062e\u062a\u0648\u06ba \u06a9\u0648 STS \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 GCP \u0645\u06cc\u06ba \u0636\u0645 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0648\u06c1 \u0634\u062e\u0635 \u062c\u0648 \u06af\u0631\u062f\u0634 \u06a9\u0648 \u0633\u0646\u0628\u06be\u0627\u0644\u062a\u0627 \u06c1\u06d2\u06d4<\/td>\n<td>\u0627\u0646\u0633\u0627\u0646 (\u06cc\u0627 \u06a9\u0648\u0626\u06cc \u0646\u06c1\u06cc\u06ba)<\/td>\n<td>Kubernetes API \u0633\u0631\u0648\u0631 \u0634\u0641\u0627\u0641 \u0637\u0631\u06cc\u0642\u06d2 \u0633\u06d2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u062f\u0648\u0646\u0648\u06ba \u0641\u0627\u0626\u0644\u0648\u06ba \u0645\u06cc\u06ba \u0627\u0633 \u06a9\u0627 \u062d\u0648\u0627\u0644\u06c1 \u062f\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4 <code>GOOGLE_APPLICATION_CREDENTIALS<\/code> \u0627\u06af\u0631\u0686\u06c1 \u0648\u06c1 \u0627\u06cc\u06a9 \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u06d2 \u0646\u0642\u0637\u06c1 \u0646\u0638\u0631 \u0633\u06d2 \u0642\u0627\u0628\u0644 \u062a\u0628\u0627\u062f\u0644\u06c1 \u0645\u0639\u0644\u0648\u0645 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u0644\u06cc\u06a9\u0646 \u0627\u0646 \u0645\u06cc\u06ba \u0633\u06d2 \u0635\u0631\u0641 \u0627\u06cc\u06a9 \u06a9\u0648 \u06a9\u06be\u0648\u0646\u0627 \u062e\u0637\u0631\u0646\u0627\u06a9 \u06c1\u06d2\u06d4 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u0641\u0627\u0626\u0644\u06cc\u06ba \u06a9\u0646\u0641\u06cc\u06af \u0645\u06cc\u067e \u0645\u06cc\u06ba \u0628\u06be\u06cc\u062c\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u062d\u0641\u0648\u0638 \u06c1\u06cc\u06ba \u06a9\u06cc\u0648\u0646\u06a9\u06c1 \u0686\u0648\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0686\u06be \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4<\/p>\n<p>ConfigMap \u0645\u06cc\u06ba \u0627\u0633 \u0641\u0627\u0626\u0644 \u06a9\u0627 \u06c1\u0648\u0646\u0627 \u0622\u062f\u06be\u0627 \u062d\u0644 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u06d2 \u067e\u0648\u0688 \u0645\u06cc\u06ba \u062e\u062a\u0645 \u06c1\u0648\u0646\u0627 \u0686\u0627\u06c1\u0626\u06d2 \u062c\u0633\u06d2 \u0627\u0635\u0644 \u0645\u06cc\u06ba GCP \u062e\u062f\u0645\u0627\u062a \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0648\u06c1 \u062c\u06af\u06c1 \u06c1\u06d2 \u062c\u06c1\u0627\u06ba Kyverno \u06a9\u06be\u06cc\u0644 \u0645\u06cc\u06ba \u0622\u062a\u0627 \u06c1\u06d2\u06d4 \u0627\u06cc\u06a9 \u0648\u0627\u062d\u062f \u06a9\u0644\u0633\u0679\u0631 \u067e\u0627\u0644\u06cc\u0633\u06cc \u0622\u067e \u06a9\u06cc \u067e\u0648\u0688 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06a9\u06cc \u06c1\u0631 \u0686\u06cc\u0632 \u06a9\u0648 \u062e\u0648\u062f \u0628\u062e\u0648\u062f \u0627\u0646\u062c\u06cc\u06a9\u0634\u0646 \u062f\u06cc\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-yaml\">apiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n  name: workload-identity-federation\nspec:\n  rules:\n    - name: inject-gcp-credentials\n      match:\n        any:\n          - resources:\n              kinds:\n                - Deployment\n              selector:\n                matchLabels:\n                  workload-identity-federation: \"enabled\"\n      mutate:\n        patchStrategicMerge:\n          spec:\n            template:\n              spec:\n                volumes:\n                  - name: workload-identity-credential-configuration\n                    configMap:\n                      name: workload-identity-federation-config\n                containers:\n                  - (name): \"*\"\n                    volumeMounts:\n                      - name: workload-identity-credential-configuration\n                        mountPath: \/etc\/workload-identity\n                        readOnly: true\n                    env:\n                      - name: GOOGLE_APPLICATION_CREDENTIALS\n                        value: \"\/etc\/workload-identity\/credential-configuration.json\"\n<\/code><\/pre>\n<p>\u0645\u0646\u062f\u0631\u062c\u06c1 \u0628\u0627\u0644\u0627 \u06a9\u0644\u0633\u0679\u0631 \u067e\u0627\u0644\u06cc\u0633\u06cc \u062a\u06cc\u0646 \u0686\u06cc\u0632\u06cc\u06ba \u06a9\u0631\u062a\u06cc \u06c1\u06d2:<\/p>\n<ol>\n<li>\n<p>\u062a\u0639\u06cc\u0646\u0627\u062a\u06cc \u06a9\u0631\u062a\u06d2 \u0648\u0642\u062a\u060c \u06a9\u0646\u0679\u06cc\u0646\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u06a9\u0646\u0641\u06cc\u06af \u0645\u06cc\u067e \u06a9\u0648 \u0645\u0627\u0624\u0646\u0679 \u06a9\u0631\u06cc\u06ba\u06d4 <code>\/etc\/workload-identity<\/code>.<\/p>\n<\/li>\n<li>\n<p>\u0646\u0627\u0645\u06cc \u0627\u06cc\u06a9 \u0645\u0627\u062d\u0648\u0644\u06cc\u0627\u062a\u06cc \u0645\u062a\u063a\u06cc\u0631 \u0627\u0646\u062c\u06cc\u06a9\u0634\u0646 <code>GOOGLE_APPLICATION_CREDENTIALS<\/code> \u06cc\u06c1 \u0627\u0633\u0646\u0627\u062f \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u0641\u0627\u0626\u0644 \u06a9\u06d2 \u0645\u0637\u0644\u0642 \u0631\u0627\u0633\u062a\u06d2 \u06a9\u06cc \u0637\u0631\u0641 \u0627\u0634\u0627\u0631\u06c1 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<\/ol>\n<p>\u0627\u06cc\u06a9 \u0688\u0648\u06cc\u0644\u067e\u0631 \u06a9\u06d2 \u0646\u0642\u0637\u06c1 \u0646\u0638\u0631 \u0633\u06d2\u060c \u06cc\u06c1 \u0645\u06a9\u0645\u0644 \u0627\u0646\u0636\u0645\u0627\u0645 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-yaml\">apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: my-app\n  labels:\n    workload-identity-federation: \"enabled\" # That's it.\nspec:\n  # ... normal deployment spec\n<\/code><\/pre>\n<p>\u0627\u0633\u0646\u0627\u062f \u06a9\u06cc \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u0641\u0627\u0626\u0644 (Terraform \u06a9\u06cc \u0637\u0631\u0641 \u0633\u06d2 ConfigMap \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u062a\u06cc\u0627\u0631 \u06a9\u06cc \u06af\u0626\u06cc) \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0626\u0646\u0679 \u0644\u0627\u0626\u0628\u0631\u06cc\u0631\u06cc \u06a9\u0648 \u0628\u062a\u0627\u062a\u06cc \u06c1\u06d2 \u06a9\u06c1 \u0679\u0648\u06a9\u0646 \u06a9\u0627 \u062a\u0628\u0627\u062f\u0644\u06c1 \u06a9\u06cc\u0633\u06d2 \u06a9\u06cc\u0627 \u062c\u0627\u0626\u06d2\u06d4<\/p>\n<pre><code class=\"language-json\">{\n  \"type\": \"external_account\",\n  \"audience\": \"\/\/iam.googleapis.com\/projects\/PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/POOL_ID\/providers\/PROVIDER_ID\",\n  \"subject_token_type\": \"urn:ietf:params:oauth:token-type:jwt\",\n  \"token_url\": \"https:\/\/sts.googleapis.com\/v1\/token\",\n  \"credential_source\": {\n    \"file\": \"\/run\/secrets\/kubernetes.io\/serviceaccount\/token\"\n  }\n}\n<\/code><\/pre>\n<p>\u06cc\u06c1 JSON \u0641\u0627\u0626\u0644 \u06af\u0648\u06af\u0644 \u06a9\u06d2 \u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0635\u0627\u0631\u0641 \u06a9\u06cc \u0627\u0633\u0646\u0627\u062f \u06a9\u0648 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u062a\u06cc \u06c1\u06d2\u06d4 Kubernetes ServiceAccount \u0679\u0648\u06a9\u0646 (\u0627\u0633 \u067e\u0631 \u0648\u0627\u0642\u0639 \u06c1\u06d2: <code>\/run\/secrets\/kubernetes.io\/serviceaccount\/token<\/code>) \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06d2 \u0679\u0648\u06a9\u0646\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0648\u0631\u06a9 \u0644\u0648\u0688 \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06a9\u0631\u062f\u06c1 \u0628\u06cc\u0631\u0648\u0646\u06cc \u0634\u0646\u0627\u062e\u062a \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 \u06cc\u06c1 GCP \u0633\u06d2 \u0628\u0627\u06c1\u0631 \u0686\u0644\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06a9\u0627\u0645 \u06a9\u06d2 \u0628\u0648\u062c\u06be \u06a9\u0648 \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u060c \u062c\u06cc\u0633\u06d2 \u06a9\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 Kubernetes \u06a9\u0644\u0633\u0679\u0631\u0632\u060c \u0637\u0648\u06cc\u0644 \u0627\u0644\u0645\u062f\u062a \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc\u0632 \u06a9\u0648 \u0645\u0646\u0638\u0645 \u06a9\u06cc\u06d2 \u0628\u063a\u06cc\u0631 GCP \u0633\u0631\u0648\u0633\u0632 \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u062a\u0645\u0627\u0645 Google Cloud SDKs \u0627\u0648\u0631 \u06a9\u0644\u0627\u0626\u0646\u0679 \u0644\u0627\u0626\u0628\u0631\u06cc\u0631\u06cc\u0627\u06ba \u0627\u0633 \u0641\u0627\u0631\u0645\u06cc\u0679 \u06a9\u0648 \u0633\u0645\u062c\u06be\u062a\u06cc \u06c1\u06cc\u06ba\u06d4 Python\u060c Go\u060c Java\u060c \u0627\u0648\u0631 Node.js \u0633\u0628\u06be\u06cc \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<h2 id=\"heading-how-to-grant-iam-permissions-to-federated-identities\">\u0648\u0641\u0627\u0642\u06cc \u0634\u0646\u0627\u062e\u062a\u0648\u06ba \u06a9\u0648 IAM \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u06a9\u06cc\u0633\u06d2 \u062f\u06cc \u062c\u0627\u0626\u06d2\u06d4<\/h2>\n<p>\u0627\u06cc\u06a9 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u0679\u0648\u06a9\u0646 (\u062c\u0633\u06d2 \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u06a9\u06cc \u0634\u0646\u0627\u062e\u062a \u0628\u06be\u06cc \u06a9\u06c1\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2) STS \u0633\u0631\u0648\u0633 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06c1 \u0642\u0627\u0628\u0644 \u0627\u0639\u062a\u0645\u0627\u062f \u0648\u0633\u0627\u0626\u0644 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u0631\u06a9\u0627\u0631 \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u06d4 IAM \u0631\u0648\u0644 \u06a9\u0648 \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u067e\u0631\u0627\u067e\u0631\u0679\u06cc \u0633\u06d2 \u0645\u0646\u0633\u0644\u06a9 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-hcl\">resource \"google_project_iam_member\" \"secret_access\" {\n  for_each = toset([\"production\", \"staging\"])\n  project  = \"my-project\"\n  role     = \"roles\/secretmanager.secretAccessor\"\n  member   = \"principalSet:\/\/iam.googleapis.com\/projects\/\\({PROJECT_NUMBER}\/locations\/global\/workloadIdentityPools\/\\){POOL_ID}\/attribute.namespace\/${each.value}\"\n}\n<\/code><\/pre>\n<p>\u06cc\u06c1 \u062e\u0641\u06cc\u06c1 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u0648 \u062a\u0645\u0627\u0645 \u062a\u0635\u062f\u06cc\u0642 \u0634\u062f\u06c1 \u067e\u0648\u0688\u0632 \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 <code>production<\/code> \u06cc\u0627 <code>staging<\/code> \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u06d4 \u06a9\u06c1 <code>principalSet<\/code> \u0646\u062d\u0648 \u0627\u0646\u062a\u0633\u0627\u0628 \u06a9\u06d2 \u0645\u0644\u0627\u067e \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2\u06d4 \u0622\u067e \u0627\u0633\u06d2 \u0645\u062e\u0635\u0648\u0635 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679\u0633 \u062a\u06a9 \u0628\u06be\u06cc \u0645\u062d\u062f\u0648\u062f \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-plaintext\">member = \"principal:\/\/iam.googleapis.com\/...\/subject\/system:serviceaccount:production:payment-processor\"\n<\/code><\/pre>\n<h2 id=\"heading-how-to-verify-the-setup\">\u0627\u067e\u0646\u06cc \u062a\u0631\u062a\u06cc\u0628\u0627\u062a \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba\u06d4<\/h2>\n<p>\u0622\u067e \u0627\u06cc\u06a9 \u0633\u0627\u062f\u06c1 Python \u0627\u0633\u06a9\u0631\u067e\u0679 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u067e\u0646\u06d2 \u0633\u06cc\u0679 \u0627\u067e \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u0633 \u0645\u06cc\u06ba \u0633\u06cc\u06a9\u0631\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631 \u06a9\u06d2 \u0631\u0627\u0632 \u062f\u0631\u062c \u06c1\u06cc\u06ba\u06d4 \u06cc\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u067e\u0648\u0688 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0686\u0644\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-python\"># list_secrets.py - running on-prem, accessing GCP Secret Manager\nfrom google.cloud import secretmanager\n\ndef list_secrets(project_id: str):\n    \"\"\"\n    List all secrets in a GCP project.\n\n    No credentials are passed explicitly. The google-cloud-secret-manager\n    library automatically:\n    1. Reads GOOGLE_APPLICATION_CREDENTIALS env var (set by Kyverno)\n    2. Loads the credential configuration JSON\n    3. Reads the K8s ServiceAccount token from \/run\/secrets\/...\n    4. Exchanges it for a GCP access token via STS\n    5. Uses that token to call the Secret Manager API\n    \"\"\"\n    client = secretmanager.SecretManagerServiceClient()\n    parent = f\"projects\/{project_id}\"\n\n    print(f\"Secrets in {project_id}:\")\n    print(\"-\" * 40)\n\n    for secret in client.list_secrets(request={\"parent\": parent}):\n        secret_name = secret.name.split(\"\/\")[-1]\n        print(f\"  - {secret_name}\")\n\n    print(\"-\" * 40)\n    print(\"Authentication: Workload Identity Federation\")\n    print(\"Credentials: None stored, token exchanged at runtime\")\n\nif __name__ == \"__main__\":\n    list_secrets(\"my-project-id\")\n<\/code><\/pre>\n<p>\u0627\u0633\u06d2 \u0644\u06cc\u0628\u0644 \u0648\u0627\u0644\u06d2 \u067e\u0648\u0688 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0686\u0644\u0627\u0626\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-bash\">$ kubectl exec -it my-app-xyz -- python list_secrets.py\n\nSecrets in my-project-id:\n----------------------------------------\n  - database-password\n  - api-key-stripe\n  - oauth-client-secret\n  - ml-model-api-key\n----------------------------------------\nAuthentication: Workload Identity Federation\nCredentials: None stored, token exchanged at runtime\n<\/code><\/pre>\n<p>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u06a9\u0644\u06cc\u062f \u063a\u0627\u0626\u0628 \u06c1\u06d2\u06d4 \u06a9\u0648\u0626\u06cc \u062d\u0641\u0627\u0638\u062a\u06cc \u0631\u0627\u0632 \u0646\u0635\u0628 \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4 \u0627\u06cc\u06a9 Kubernetes ServiceAccount \u0679\u0648\u06a9\u0646 \u062c\u0648 \u0631\u0646 \u0679\u0627\u0626\u0645 \u067e\u0631 GCP \u0627\u0633\u0646\u0627\u062f \u06a9\u06d2 \u0644\u06cc\u06d2 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<p>\u06cc\u06c1\u06cc \u0637\u0631\u0632 \u062a\u0645\u0627\u0645 GCP \u0633\u0631\u0648\u0633\u0632 \u067e\u0631 \u0644\u0627\u06af\u0648 \u06c1\u0648\u062a\u0627 \u06c1\u06d2\u060c \u0628\u0634\u0645\u0648\u0644 \u0633\u06cc\u06a9\u0631\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631\u060c \u06a9\u0644\u0627\u0624\u0688 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c\u060c BigQuery\u060c Pub\/Sub\u060c \u0627\u0648\u0631 Vertex AI\u06d4<\/p>\n<h2 id=\"heading-how-to-connect-on-prem-apps-to-cloud-gpus\">\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u06cc\u067e\u0633 \u06a9\u0648 \u06a9\u0644\u0627\u0624\u0688 GPUs \u0633\u06d2 \u06a9\u06cc\u0633\u06d2 \u062c\u0648\u0691\u06cc\u06ba\u06d4<\/h2>\n<p>\u0639\u0627\u0645 \u0628\u06c1\u0627\u0624 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u0633\u0648\u0686\u0648\u06d4 \u0641\u0631\u0627\u0688 \u06a9\u0627 \u067e\u062a\u06c1 \u0644\u06af\u0627\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u062a\u06a9\u0645\u06cc\u0644\u06cc \u062e\u062f\u0645\u0627\u062a \u06a9\u0648 Vertex AI \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679 \u06a9\u0648 \u06a9\u0627\u0644 \u06a9\u0631\u0646\u0627 \u0686\u0627\u06c1\u06cc\u06d2\u06d4 \u06cc\u06c1 \u0645\u0627\u0688\u0644 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u0645\u06cc\u06ba GPUs \u067e\u0631 \u0686\u0644\u062a\u0627 \u06c1\u06d2\u06d4 A100 \u0645\u06c1\u06cc\u0646\u0648\u06ba \u0645\u06cc\u06ba \u0646\u06c1\u06cc\u06ba \u0628\u0644\u06a9\u06c1 \u0645\u0646\u0679\u0648\u06ba \u0645\u06cc\u06ba \u0686\u0644 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 \u0622\u067e \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a \u06a9\u06cc \u0645\u0646\u0637\u0642 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0631\u06c1\u062a\u06cc \u06c1\u06d2 (\u0622\u067e \u0646\u06d2 \u067e\u06c1\u0644\u06d2 \u06c1\u06cc \u0627\u0633 \u06a9\u06d2 \u06a9\u0645\u067e\u06cc\u0648\u0679 \u0627\u062e\u0631\u0627\u062c\u0627\u062a \u06a9\u06cc \u0627\u062f\u0627\u0626\u06cc\u06af\u06cc \u06a9\u0631 \u062f\u06cc \u06c1\u06d2)\u06d4<\/p>\n<p>\u0627\u06cc\u06a9 \u0628\u0627\u0631 \u062c\u0628 IAM \u0628\u0627\u0626\u0646\u0688\u0646\u06af \u0646\u0627\u0641\u0630 \u06c1\u0648 \u062c\u0627\u0626\u06d2 \u062a\u0648\u060c \u0627\u062c\u0627\u0632\u062a \u0634\u062f\u06c1 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u0645\u06cc\u06ba \u06a9\u0648\u0626\u06cc \u0628\u06be\u06cc \u067e\u0648\u0688 Vertex AI \u06a9\u0648 \u06a9\u0627\u0644 \u06a9\u0631 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-python\"># fraud_detector.py - running on-prem, calling cloud GPUs\nfrom google.cloud import aiplatform\n\ndef check_fraud(transaction: dict) -> float:\n    \"\"\"\n    Call a Vertex AI endpoint for fraud detection.\n\n    The model runs on A100 GPUs in Google Cloud.\n    This code runs on-prem in the datacenter.\n\n    Authentication is automatic:\n    1. Kyverno injected GOOGLE_APPLICATION_CREDENTIALS\n    2. The aiplatform SDK reads the credential config\n    3. K8s SA token is exchanged for GCP token via STS\n    4. Request is authenticated to Vertex AI\n    \"\"\"\n    endpoint = aiplatform.Endpoint(\n        endpoint_name=\"projects\/my-project\/locations\/us-central1\/endpoints\/fraud-model\"\n    )\n    prediction = endpoint.predict(instances=[transaction])\n    return prediction.predictions[0][\"fraud_score\"]\n\n\ndef generate_embeddings(texts: list[str]) -> list[list[float]]:\n    \"\"\"\n    Generate text embeddings using a cloud-hosted model.\n\n    Embedding models are GPU-intensive. Running them on-prem\n    would require dedicated hardware. In the cloud, you pay per request.\n    \"\"\"\n    from vertexai.language_models import TextEmbeddingModel\n\n    model = TextEmbeddingModel.from_pretrained(\"text-embedding-004\")\n    embeddings = model.get_embeddings(texts)\n    return [e.values for e in embeddings]\n<\/code><\/pre>\n<p>\u0688\u0648\u06cc\u0644\u067e\u0631\u0632 \u062a\u0648\u062b\u06cc\u0642 \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u0628\u0627\u0644\u06a9\u0644 \u0646\u06c1\u06cc\u06ba \u0633\u0648\u0686\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0622\u067e \u06a9\u06cc \u062a\u0639\u06cc\u0646\u0627\u062a\u06cc \u0645\u06cc\u06ba \u0627\u06cc\u06a9 \u0644\u06cc\u0628\u0644 \u0634\u0627\u0645\u0644 \u06a9\u0631\u0646\u0627 \u0622\u067e \u06a9\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u067e\u0648\u0688\u0632 \u06a9\u0648 \u06a9\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2:<\/p>\n<ul>\n<li>\n<p><strong>Vertex AI \u0627\u06cc\u0646\u0688 \u067e\u0648\u0627\u0626\u0646\u0679<\/strong> \u06a9\u0644\u0627\u0624\u0688 GPUs \u067e\u0631 ML \u062a\u062e\u0645\u06cc\u0646\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2<\/p>\n<\/li>\n<li>\n<p><strong>\u06a9\u0644\u0627\u0624\u0688 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c<\/strong> \u0645\u0627\u0688\u0644 \u0646\u0645\u0648\u0646\u06d2 \u0627\u0648\u0631 \u062a\u0631\u0628\u06cc\u062a\u06cc \u0688\u06cc\u0679\u0627 \u06a9\u06d2 \u0644\u06cc\u06d2<\/p>\n<\/li>\n<li>\n<p><strong>BigQuery<\/strong> \u0641\u06cc\u0686\u0631 \u0627\u0633\u0679\u0648\u0631\u06cc\u062c \u0627\u0648\u0631 \u062a\u062c\u0632\u06cc\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2<\/p>\n<\/li>\n<li>\n<p><strong>\u0634\u0627\u0626\u0639 \u06a9\u0631\u06cc\u06ba\/\u0633\u0628\u0633\u06a9\u0631\u0627\u0626\u0628 \u06a9\u0631\u06cc\u06ba\u06d4<\/strong> \u0645\u0627\u062d\u0648\u0644 \u06a9\u06d2 \u062f\u0631\u0645\u06cc\u0627\u0646 \u0648\u0627\u0642\u0639\u0627\u062a \u06a9\u06cc \u0633\u0644\u0633\u0644\u06c1 \u0628\u0646\u062f\u06cc \u06a9\u06d2 \u0644\u06cc\u06d2<\/p>\n<\/li>\n<li>\n<p><strong>\u062e\u0641\u06cc\u06c1 \u0645\u06cc\u0646\u06cc\u062c\u0631<\/strong> API \u06a9\u06cc\u0632 \u0627\u0648\u0631 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2<\/p>\n<\/li>\n<\/ul>\n<p>\u06cc\u06c1 \u0627\u06cc\u06a9 \u06c1\u0627\u0626\u0628\u0631\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06c1\u06d2 \u062c\u0648 \u062d\u0633\u0628 \u0645\u0646\u0634\u0627 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-how-to-scale-gpu-access-with-cel-conditions\">CEL \u0634\u0631\u0627\u0626\u0637 \u06a9\u06d2 \u0633\u0627\u062a\u06be GPU \u0631\u0633\u0627\u0626\u06cc \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u0628\u0691\u06be\u0627\u06cc\u0627 \u062c\u0627\u0626\u06d2\u06d4<\/h2>\n<p>CEL \u062d\u0627\u0644\u0627\u062a \u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 \u0637\u0627\u0642\u062a\u0648\u0631 \u06c1\u0648 \u062c\u0627\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u0628 \u0622\u067e GPU \u06a9\u06cc \u0631\u0633\u0627\u0626\u06cc \u06a9\u0648 \u0645\u062e\u0635\u0648\u0635 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u0648\u06ba \u062a\u06a9 \u0645\u062d\u062f\u0648\u062f \u06a9\u0631\u0646\u0627 \u0686\u0627\u06c1\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u0645\u062b\u0627\u0644 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631\u060c \u0635\u0631\u0641 ML \u0633\u06d2 \u0645\u062a\u0639\u0644\u0642\u06c1 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u0648\u06ba \u06a9\u0648 Vertex AI \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u0646\u0627:<\/p>\n<pre><code class=\"language-plaintext\">attribute.namespace in [\"ml-inference\", \"ml-training\", \"data-science\"] &&\n  attribute.service_account.startsWith(\"ml-\")\n<\/code><\/pre>\n<p>\u0622\u067e \u06c1\u0631 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0645\u062e\u062a\u0644\u0641 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u0633\u0637\u062d\u06cc\u06ba \u0628\u06be\u06cc \u062f\u06d2 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-hcl\"># ML inference namespace gets prediction access\nresource \"google_project_iam_member\" \"ml_inference\" {\n  project = \"my-project\"\n  role    = \"roles\/aiplatform.user\"\n  member  = \"principalSet:\/\/iam.googleapis.com\/...\/attribute.namespace\/ml-inference\"\n}\n\n# Data science namespace gets full Vertex AI access (for experimentation)\nresource \"google_project_iam_member\" \"data_science\" {\n  project = \"my-project\"\n  role    = \"roles\/aiplatform.admin\"\n  member  = \"principalSet:\/\/iam.googleapis.com\/...\/attribute.namespace\/data-science\"\n}\n<\/code><\/pre>\n<p>\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u06cc\u067e\u0644\u06cc\u06a9\u06cc\u0634\u0646 \u0679\u06cc\u0645\u0648\u06ba \u06a9\u0648 GCP IAM \u06a9\u06d2 \u0628\u0627\u0631\u06d2 \u0645\u06cc\u06ba \u062c\u0627\u0646\u0646\u06d2 \u06cc\u0627 \u0627\u0633 \u06a9\u06cc \u067e\u0631\u0648\u0627\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u0628\u0633 \u0635\u062d\u06cc\u062d \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u067e\u0631 \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba\u060c \u0627\u06cc\u06a9 \u0644\u06cc\u0628\u0644 \u0634\u0627\u0645\u0644 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0628\u0627\u0642\u06cc \u0686\u06cc\u0632\u0648\u06ba \u06a9\u0627 \u062e\u06cc\u0627\u0644 \u0631\u06a9\u06be\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-the-security-properties-compared\">\u062d\u0641\u0627\u0638\u062a\u06cc \u062e\u0635\u0648\u0635\u06cc\u0627\u062a \u06a9\u0627 \u0645\u0648\u0627\u0632\u0646\u06c1<\/h2>\n<p>\u0630\u06cc\u0644 \u0645\u06cc\u06ba \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06d2 \u062f\u0648 \u0637\u0631\u06cc\u0642\u0648\u06ba \u06a9\u0627 \u0627\u06cc\u06a9 \u0633\u0627\u062a\u06be \u0628\u06c1 \u067e\u06c1\u0644\u0648 \u0645\u0648\u0627\u0632\u0646\u06c1 \u06c1\u06d2\u06d4<\/p>\n<table>\n<thead>\n<tr>\n<th>\u062c\u0627\u0626\u06cc\u062f\u0627\u062f<\/th>\n<th>\u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u06a9\u0644\u06cc\u062f<\/th>\n<th>\u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc \u0627\u0644\u0627\u0626\u0646\u0633<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u06a9\u0631\u06cc\u0688\u06cc\u0646\u0634\u0644 \u0644\u0627\u0626\u0641 \u0679\u0627\u0626\u0645<\/td>\n<td>\u062c\u0628 \u062a\u06a9 \u062f\u0633\u062a\u06cc \u0637\u0648\u0631 \u067e\u0631 \u062a\u0628\u062f\u06cc\u0644 \u0646\u06c1 \u06a9\u06cc\u0627 \u062c\u0627\u0626\u06d2 (\u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u06a9\u0626\u06cc \u0633\u0627\u0644)<\/td>\n<td>\u0645\u062e\u062a\u0635\u0631 \u0645\u062f\u062a (GCP \u0679\u0648\u06a9\u0646 \u06a9\u06d2 \u0644\u06cc\u06d2 1 \u06af\u06be\u0646\u0679\u06c1)<\/td>\n<\/tr>\n<tr>\n<td>\u067e\u06be\u06cc\u0644\u0646\u06d2 \u06a9\u0627 \u062e\u0637\u0631\u06c1<\/td>\n<td>\u06c1\u0627\u0626\u06cc - \u062c\u0627\u0645\u062f \u0686\u0627\u0628\u06cc\u0627\u06ba \u06a9\u06c1\u06cc\u06ba \u0628\u06be\u06cc \u06a9\u0627\u067e\u06cc \u06a9\u06cc \u062c\u0627 \u0633\u06a9\u062a\u06cc \u06c1\u06cc\u06ba\u06d4<\/td>\n<td>\u06a9\u0645 \u2014 \u0679\u0648\u06a9\u0646 \u06a9\u06cc \u0645\u06cc\u0639\u0627\u062f \u062a\u06cc\u0632\u06cc \u0633\u06d2 \u062e\u062a\u0645 \u06c1\u0648 \u062c\u0627\u062a\u06cc \u06c1\u06d2\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0622\u0688\u0679 \u0679\u0631\u06cc\u0644<\/td>\n<td>\u0635\u0631\u0641 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u0627 \u0646\u0627\u0645<\/td>\n<td>\u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 + \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u0627 \u0646\u0627\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u06a9\u0644\u06cc\u062f\u06cc \u0627\u0646\u062a\u0638\u0627\u0645 \u0627\u0648\u0648\u0631 \u06c1\u06cc\u0688<\/td>\n<td>\u0628\u0691\u06d2 \u067e\u06cc\u0645\u0627\u0646\u06d2 \u067e\u0631 600+ \u0686\u0627\u0628\u06cc\u0627\u06ba<\/td>\n<td>\u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u06a9\u0648\u0626\u06cc \u0686\u0627\u0628\u06cc\u0627\u06ba \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u067e\u0627\u0644\u06cc\u0633\u06cc \u06a9\u0627 \u0646\u0641\u0627\u0630<\/td>\n<td>\u062f\u0633\u062a\u06cc\/\u0679\u0631\u0633\u0679 \u067e\u0631 \u0645\u0628\u0646\u06cc<\/td>\n<td>CEL \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 GCP \u0627\u0646\u0641\u0631\u0627\u0633\u0679\u0631\u06a9\u0686\u0631 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u0646\u0627\u0641\u0630 \u06a9\u06cc\u0627 \u06af\u06cc\u0627\u06d4<\/td>\n<\/tr>\n<tr>\n<td>\u0688\u0648\u06cc\u0644\u067e\u0631 \u06a9\u0627 \u062a\u062c\u0631\u0628\u06c1<\/td>\n<td>\u0686\u0627\u0628\u06cc\u0627\u06ba \u06a9\u0627\u067e\u06cc \u06a9\u0631\u06cc\u06ba\u060c \u0631\u0627\u0632 \u0628\u0646\u0627\u0626\u06cc\u06ba\u060c \u062d\u062c\u0645 \u0628\u0691\u06be\u0627\u0626\u06cc\u06ba\u06d4<\/td>\n<td>\u0627\u067e\u0646\u06cc \u062a\u0639\u06cc\u0646\u0627\u062a\u06cc \u0645\u06cc\u06ba 1 \u0644\u06cc\u0628\u0644 \u0634\u0627\u0645\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0679\u0648\u06a9\u0646 \u06a9\u06cc \u0642\u0644\u06cc\u0644 \u0645\u062f\u062a\u06cc \u0646\u0648\u0639\u06cc\u062a \u067e\u0631 \u0632\u0648\u0631 \u062f\u06cc\u0646\u06d2 \u06a9\u06d2 \u0642\u0627\u0628\u0644 \u06c1\u06d2\u06d4 \u06cc\u06c1\u0627\u06ba \u062a\u06a9 \u06a9\u06c1 \u0628\u062f\u062a\u0631\u06cc\u0646 \u0635\u0648\u0631\u062a \u062d\u0627\u0644 \u0645\u06cc\u06ba \u062c\u06c1\u0627\u06ba \u0679\u0648\u06a9\u0646 \u0644\u06cc\u06a9 \u06c1\u0648 \u062c\u0627\u0626\u06cc\u06ba\u060c \u0679\u0648\u06a9\u0646 \u062e\u062a\u0645 \u06c1\u0648 \u062c\u0627\u0626\u06cc\u06ba \u06af\u06d2\u06d4 Kubernetes ServiceAccount \u0679\u0648\u06a9\u0646\u0632 \u06a9\u06cc \u0632\u0646\u062f\u06af\u06cc \u0628\u06be\u0631 \u06a9\u06cc \u062a\u0631\u062a\u06cc\u0628 \u06c1\u0648\u062a\u06cc \u06c1\u06d2\u060c \u0627\u0648\u0631 STS \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u062c\u0627\u0631\u06cc \u06a9\u0631\u062f\u06c1 GCP \u0631\u0633\u0627\u0626\u06cc \u0679\u0648\u06a9\u0646 \u0627\u06cc\u06a9 \u06af\u06be\u0646\u0679\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u062f\u0631\u0633\u062a \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4 \u062f\u0648\u0633\u0631\u06cc \u0637\u0631\u0641\u060c \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u0686\u0627\u0628\u06cc\u0627\u06ba \u0627\u0633 \u0648\u0642\u062a \u062a\u06a9 \u062f\u0631\u0633\u062a \u0631\u06c1\u062a\u06cc \u06c1\u06cc\u06ba \u062c\u0628 \u062a\u06a9 \u06a9\u06c1 \u06a9\u0648\u0626\u06cc \u0648\u0627\u0636\u062d \u0637\u0648\u0631 \u067e\u0631 \u0627\u0646 \u06a9\u06cc \u062c\u06af\u06c1 \u0646\u06c1 \u0644\u06d2 \u0644\u06d2 (\u0639\u0627\u0645 \u0637\u0648\u0631 \u067e\u0631 \u06a9\u0626\u06cc \u0633\u0627\u0644)\u06d4<\/p>\n<h2 id=\"heading-the-complete-infrastructure-as-code-layout\">\u06a9\u0648\u0688 \u0644\u06d2 \u0622\u0624\u0679 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0628\u0646\u06cc\u0627\u062f\u06cc \u0688\u06be\u0627\u0646\u0686\u06c1 \u0645\u06a9\u0645\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h2>\n<p>GCP \u0627\u0648\u0631 Kubernetes \u062f\u0648\u0646\u0648\u06ba \u0648\u0633\u0627\u0626\u0644 \u06a9\u0648 \u0645\u0646\u0638\u0645 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u067e\u0648\u0631\u06d2 \u062d\u0644 \u06a9\u0648 Terraform \u0645\u06cc\u06ba \u06a9\u0648\u0688 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-plaintext\">workload-identity-federation\/\n\u251c\u2500\u2500 providers.tf      # Google + Kubernetes providers\n\u251c\u2500\u2500 locals.tf         # Configuration (namespaces, project ID, etc.)\n\u251c\u2500\u2500 gcp.tf            # Identity pool, provider, IAM bindings\n\u2514\u2500\u2500 kubernetes.tf     # ConfigMap with credential configuration\n<\/code><\/pre>\n<p>\u0627\u06a9\u06cc\u0644\u0627 <code>terraform apply<\/code>:<\/p>\n<ol>\n<li>\n<p>GCP \u0645\u06cc\u06ba \u06a9\u0627\u0645 \u06a9\u0627 \u0628\u0648\u062c\u06be \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u0628\u0646\u0627\u0626\u06cc\u06ba<\/p>\n<\/li>\n<li>\n<p>\u0627\u067e\u0646\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba JWKS \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 OIDC \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0648 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0627\u062c\u0627\u0632\u062a \u0634\u062f\u06c1 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u0648\u06ba \u06a9\u06d2 \u0644\u06cc\u06d2 IAM \u0628\u0627\u0626\u0646\u0688\u0646\u06af \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u0646\u0627<\/p>\n<\/li>\n<li>\n<p>\u0627\u067e\u0646\u06cc \u0627\u0633\u0646\u0627\u062f \u06a9\u06cc \u062a\u0631\u062a\u06cc\u0628 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u06c1\u0631 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0627\u06cc\u06a9 \u06a9\u0646\u0641\u06cc\u06af \u0645\u06cc\u067e \u0628\u0646\u0627\u0626\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<\/ol>\n<p>Kyverno \u06a9\u06cc \u067e\u0627\u0644\u06cc\u0633\u06cc\u0648\u06ba \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0645\u0644 \u06a9\u0631\u060c \u0622\u067e \u06a9\u0648 \u0645\u06a9\u0645\u0644 \u0637\u0648\u0631 \u067e\u0631 \u062e\u0648\u062f\u06a9\u0627\u0631 \u067e\u0627\u0626\u067e \u0644\u0627\u0626\u0646 \u0645\u0644\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<pre><code class=\"language-plaintext\">New namespace added to allowed list\n        \u2502\n        \u25bc\nTerraform creates ConfigMap in that namespace\n        \u2502\n        \u25bc\nDeveloper deploys with label\n        \u2502\n        \u25bc\nKyverno injects credentials automatically\n        \u2502\n        \u25bc\nPod authenticates to GCP via OIDC\n        \u2502\n        \u25bc\nApplication accesses GCP services\n<\/code><\/pre>\n<p>\u06a9\u0648\u0626\u06cc \u0679\u06a9\u0679 \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06a9\u0648\u0626\u06cc \u0628\u0691\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u06cc\u06ba \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4 \u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u0626\u06d2 \u06a9\u0648\u0626\u06cc \u0631\u0627\u0632 \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba.<\/p>\n<h2 id=\"heading-how-to-run-a-proof-of-concept-with-vcluster\">vCluster \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062a\u0635\u0648\u0631 \u06a9\u0627 \u062b\u0628\u0648\u062a \u06a9\u06cc\u0633\u06d2 \u0686\u0644\u0627\u0626\u06cc\u06ba\u06d4<\/h2>\n<p>\u0627\u06af\u0631 \u0622\u067e \u0627\u0633\u06d2 GKE \u06a9\u06d2 \u0628\u0627\u06c1\u0631 \u0639\u0645\u0644 \u0645\u06cc\u06ba \u062f\u06cc\u06a9\u06be\u0646\u0627 \u0686\u0627\u06c1\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u062a\u0648 \u0622\u067e vCluster \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0627\u06cc\u06a9 \u0688\u06cc\u0645\u0648 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06d2 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u060c \u0627\u06cc\u06a9 \u0648\u0631\u0686\u0648\u0626\u0644 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u062c\u0648 \u062f\u0648\u0633\u0631\u06d2 Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0686\u0644 \u0631\u06c1\u0627 \u06c1\u06d2\u06d4 \u0627\u0633 \u0633\u06d2 \u062b\u0627\u0628\u062a \u06c1\u0648\u062a\u0627 \u06c1\u06d2 \u06a9\u06c1 \u062d\u0644 \u062a\u0645\u0627\u0645 \u06a9\u0644\u0633\u0679\u0631\u0632 \u067e\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4 \u0622\u067e Vind \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 Docker \u0645\u06cc\u06ba vCluster \u062a\u0631\u062a\u06cc\u0628 \u062f\u06d2 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\"># vcluster.yaml\nexperimental:\n  docker:\n    nodes:\n      - name: worker-1\n      - name: worker-2\ndeploy:\n  cni:\n    flannel:\n      enabled: true\ncontrolPlane:\n  distro:\n    k8s:\n      version: \"v1.35.0\"\n<\/code><\/pre>\n<pre><code class=\"language-shell\">[root@localhost #] vcluster create hybrid --driver docker -f vcluster.yaml\n[root@localhost #] kubectl get nodes\nhybrid-control-plane   Ready    control-plane   14d   v1.34.0   192.168.107.2   <none>        Debian GNU\/Linux 12 (bookworm)   7.0.5-orbstack-00330-ge3df4e19b0a0-dirty   containerd:\/\/2.1.3\nhybrid-worker          Ready    <none>          14d   v1.34.0   192.168.107.3   <none>        Debian GNU\/Linux 12 (bookworm)   7.0.5-orbstack-00330-ge3df4e19b0a0-dirty   containerd:\/\/2.1.3\nhybrid-worker2         Ready    <none>          14d   v1.34.0   192.168.107.4   <none>        Debian GNU\/Linux 12 (bookworm)   7.0.5-orbstack-00330-ge3df4e19b0a0-dirty   containerd:\/\/2.1.3\n<\/none><\/none><\/none><\/none><\/none><\/code><\/pre>\n<p>vCluster \u06a9\u06d2 \u0627\u0646\u062f\u0631 \u0627\u06cc\u06a9 \u0633\u0627\u062f\u06c1 \u0679\u06cc\u0633\u0679 \u062a\u0639\u06cc\u0646\u0627\u062a\u06cc \u062a\u0639\u06cc\u0646\u0627\u062a \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<pre><code class=\"language-yaml\">apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: gcp-test\n  labels:\n    workload-identity-federation: \"enabled\"\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: gcp-test\n  template:\n    metadata:\n      labels:\n        app: gcp-test\n    spec:\n      containers:\n        - name: test\n          image: google\/cloud-sdk:slim\n          command: [\"sleep\", \"infinity\"]\n<\/code><\/pre>\n<p>\u0627\u0633\u06d2 \u067e\u0648\u0688 \u0645\u06cc\u06ba \u0686\u0644\u0627\u0626\u06cc\u06ba \u0627\u0648\u0631 \u062f\u0631\u062c \u0630\u06cc\u0644 \u06a9\u0648 \u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba:<\/p>\n<pre><code class=\"language-bash\">$ kubectl exec -it gcp-test-xxx -- bash\n\n# Inside the pod:\n\\( gcloud auth login --cred-file=\\)GOOGLE_APPLICATION_CREDENTIALS\nAuthenticated with external account credentials for: [principal:\/\/iam.googleapis.com\/...]\n\n$ gcloud secrets list --project=my-project\nNAME                 CREATED\ndatabase-password    2024-01-15T10:30:00Z\napi-key              2024-01-14T09:15:00Z\n<\/code><\/pre>\n<p>\u06a9\u0648\u0626\u06cc \u0686\u0627\u0628\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 \u06a9\u0648\u0626\u06cc \u062d\u0641\u0627\u0638\u062a\u06cc \u0631\u0627\u0632 \u0646\u0635\u0628 \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4 \u0634\u0646\u0627\u062e\u062a\u06cc \u0641\u06cc\u0688\u0631\u06cc\u0634\u0646 \u0688\u06cc\u0632\u0627\u0626\u0646 \u06a9\u06d2 \u0645\u0637\u0627\u0628\u0642 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4<\/p>\n<h2 id=\"heading-common-issues-and-how-to-solve-them\">\u0639\u0627\u0645 \u0645\u0633\u0627\u0626\u0644 \u0627\u0648\u0631 \u062d\u0644<\/h2>\n<h3 id=\"heading-how-to-handle-jwks-retrieval-for-air-gapped-clusters\">\u0627\u06cc\u0626\u0631 \u06af\u06cc\u067e\u0688 \u06a9\u0644\u0633\u0679\u0631\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2 JWKS \u062f\u0631\u06cc\u0627\u0641\u062a \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u06c1\u06cc\u0646\u0688\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u0627 OIDC \u062f\u0631\u06cc\u0627\u0641\u062a \u0627\u062e\u062a\u062a\u0627\u0645\u06cc \u0646\u0642\u0637\u06c1 \u0639\u0648\u0627\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 \u0642\u0627\u0628\u0644 \u0631\u0633\u0627\u0626\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2 (\u0632\u06cc\u0627\u062f\u06c1 \u062a\u0631 \u0622\u0646 \u067e\u0631\u06cc\u0645 \u06a9\u0644\u0633\u0679\u0631\u0632 \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba)\u060c \u0622\u067e \u06a9\u0648 \u0644\u0627\u0632\u0645\u06cc \u0637\u0648\u0631 \u067e\u0631 JWKS \u06a9\u0648 \u0628\u0631\u0622\u0645\u062f \u06a9\u0631\u0646\u0627 \u0627\u0648\u0631 \u0627\u0633\u06d2 GCP \u067e\u0631 \u0627\u067e \u0644\u0648\u0688 \u06a9\u0631\u0646\u0627 \u0686\u0627\u06c1\u06cc\u06d2\u06d4<\/p>\n<pre><code class=\"language-bash\">kubectl get --raw \/openid\/v1\/jwks > jwks.json\n<\/code><\/pre>\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u06a9\u06cc \u0633\u0627\u0626\u0646\u0646\u06af \u06a9\u0644\u06cc\u062f \u06a9\u0648 \u06af\u06be\u0645\u0627\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u060c \u062a\u0648 \u0622\u067e \u06a9\u0648 \u0627\u0633 \u0641\u0627\u0626\u0644 \u06a9\u0648 \u0627\u067e \u0688\u06cc\u0679 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u0648\u06af\u06cc\u06d4 \u0628\u0631\u06cc\u06a9\u0646\u06af \u062a\u0628\u062f\u06cc\u0644\u06cc\u0648\u06ba \u06a9\u0648 \u0686\u06cc\u06a9 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2 \u0628\u0627\u0642\u0627\u0639\u062f\u06c1 \u06a9\u0627\u0645 \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u06ba \u0627\u0648\u0631 \u0627\u067e\u0646\u06cc Terraform \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u0648 \u0627\u067e \u0688\u06cc\u0679 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<h3 id=\"heading-how-to-fix-issuer-url-mismatches\">\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 URL \u06a9\u06cc \u0645\u0645\u0627\u062b\u0644\u062a\u0648\u06ba \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u062d\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u06a9\u06c1 <code>iss<\/code> Kubernetes \u0679\u0648\u06a9\u0646 \u06a9\u06d2 \u062f\u0639\u0648\u06d2 \u0622\u067e \u06a9\u06d2 OIDC \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u0645\u06cc\u06ba \u06a9\u0646\u0641\u06cc\u06af\u0631 \u06a9\u0631\u062f\u06c1 \u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 URL \u0633\u06d2 \u0628\u0627\u0644\u06a9\u0644 \u0645\u0645\u0627\u062b\u0644 \u06c1\u0648\u0646\u06d2 \u0686\u0627\u06c1\u0626\u06cc\u06ba\u06d4 \u0627\u0646\u062f\u0631\u0648\u0646\u06cc DNS \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u06a9\u0644\u0633\u0679\u0631\u0632 \u06a9\u06d2 \u0644\u06cc\u06d2:<\/p>\n<pre><code class=\"language-plaintext\">issuer_uri = \"https:\/\/kubernetes.default.svc.cluster.local\"\n<\/code><\/pre>\n<p>\u0627\u0633 URL \u062a\u06a9 GCP \u0633\u06d2 \u067e\u06c1\u0646\u0686\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 JWKS \u0641\u0627\u0626\u0644 \u062a\u0648\u062b\u06cc\u0642 \u06a9\u06cc \u06a9\u0644\u06cc\u062f \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u06cc \u06c1\u06d2\u06d4 \u062a\u0627\u06c1\u0645\u060c \u06cc\u06c1 \u0628\u0627\u0644\u06a9\u0644 \u0648\u06c1\u06cc \u06c1\u0648\u0646\u0627 \u0686\u0627\u06c1\u06cc\u06d2 \u062c\u0648 \u0679\u0648\u06a9\u0646 \u0645\u06cc\u06ba \u06c1\u06d2\u06d4<\/p>\n<h3 id=\"heading-how-to-debug-token-exchange-failures\">\u0679\u0648\u06a9\u0646 \u0627\u06cc\u06a9\u0633\u0686\u06cc\u0646\u062c \u06a9\u06cc \u0646\u0627\u06a9\u0627\u0645\u06cc\u0648\u06ba \u06a9\u0648 \u06a9\u06cc\u0633\u06d2 \u0688\u06cc\u0628\u06af \u06a9\u0631\u06cc\u06ba\u06d4<\/h3>\n<p>\u0627\u06af\u0631 \u062a\u0648\u062b\u06cc\u0642 \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648 \u062c\u0627\u062a\u06cc \u06c1\u06d2 \u062a\u0648 \u063a\u0644\u0637\u06cc \u06a9\u0627 \u067e\u06cc\u063a\u0627\u0645 \u067e\u06cc\u0686\u06cc\u062f\u06c1 \u06c1\u0648 \u0633\u06a9\u062a\u0627 \u06c1\u06d2\u06d4 \u0639\u0627\u0645 \u0648\u062c\u0648\u06c1\u0627\u062a \u0627\u0648\u0631 \u062d\u0644:<\/p>\n<table>\n<thead>\n<tr>\n<th>\u063a\u0644\u0637\u06cc<\/th>\n<th>\u0645\u0645\u06a9\u0646\u06c1 \u0648\u062c\u06c1<\/th>\n<th>\u0679\u06be\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>invalid_grant<\/code><\/td>\n<td>\u062c\u0627\u0631\u06cc \u06a9\u0646\u0646\u062f\u06c1 \u06a9\u0627 URL \u0645\u0645\u0627\u062b\u0644 \u06c1\u06d2\u06d4<\/td>\n<td>\u0686\u06cc\u06a9 \u06a9\u0631\u06cc\u06ba <code>iss<\/code> \u062c\u0648 \u06a9\u0686\u06be \u062a\u0631\u062a\u06cc\u0628 \u062f\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2 \u0627\u0633 \u06a9\u06d2 \u0644\u06cc\u06d2 JWT \u0633\u06d2 \u0686\u0627\u0631\u062c \u06a9\u0631\u06cc\u06ba\u06d4 <code>issuer_uri<\/code><\/td>\n<\/tr>\n<tr>\n<td><code>audience mismatch<\/code><\/td>\n<td>\u063a\u0644\u0637 <code>audience<\/code> \u0627\u0633\u0646\u0627\u062f \u06a9\u06cc \u062a\u0631\u062a\u06cc\u0628 \u0645\u06cc\u06ba<\/td>\n<td>Terraform \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u06a9\u0631\u06cc\u0688\u06cc\u0646\u0634\u0644 \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 JSON \u06a9\u0648 \u062f\u0648\u0628\u0627\u0631\u06c1 \u062a\u062e\u0644\u06cc\u0642 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr>\n<td><code>CEL condition failed<\/code><\/td>\n<td>\u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1\u06cc\u06ba \u0648\u0627\u0626\u0679 \u0644\u0633\u0679 \u0645\u06cc\u06ba \u0646\u06c1\u06cc\u06ba \u06c1\u06cc\u06ba\u06d4<\/td>\n<td>\u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u0634\u0627\u0645\u0644 \u06a9\u0631\u06cc\u06ba\u06d4 <code>attribute_condition<\/code> \u0627\u0648\u0631 \u062f\u0648\u0628\u0627\u0631\u06c1 \u0627\u067e\u0644\u0627\u0626\u06cc \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<tr>\n<td><code>JWKS validation failed<\/code><\/td>\n<td>\u062f\u0633\u062a\u062e\u0637 \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06cc \u06a9\u0644\u06cc\u062f \u06a9\u0648 \u06af\u06be\u0645\u0627\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2\u06d4<\/td>\n<td>JWKS \u06a9\u0648 \u062f\u0648\u0628\u0627\u0631\u06c1 \u0628\u0631\u0622\u0645\u062f \u06a9\u0631\u06cc\u06ba \u0627\u0648\u0631 Terraform \u06a9\u0646\u0641\u06cc\u06af\u0631\u06cc\u0634\u0646 \u06a9\u0648 \u0627\u067e \u0688\u06cc\u0679 \u06a9\u0631\u06cc\u06ba\u06d4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"heading-conclusion\">\u0646\u062a\u06cc\u062c\u06c1<\/h2>\n<p>\u0627\u0633 \u062a\u0631\u062a\u06cc\u0628 \u06a9\u0648 \u0644\u0627\u06af\u0648 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0628\u0639\u062f\u060c \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0648\u0631\u06a9 \u0628\u0648\u062c\u06be GCP \u0633\u06d2 \u0628\u0627\u0644\u06a9\u0644 \u0627\u0633\u06cc \u0637\u0631\u062d \u062a\u0635\u062f\u06cc\u0642 \u06a9\u0631\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u06cc\u0633\u06d2 GKE \u0648\u0631\u06a9 \u0628\u0648\u062c\u06be\u060c \u0628\u063a\u06cc\u0631 \u06a9\u0633\u06cc \u0637\u0648\u06cc\u0644 \u0645\u062f\u062a\u06cc \u0633\u0646\u062f \u06a9\u06d2\u06d4 \u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u0679\u06cc\u0645 \u062e\u0648\u0634 \u06c1\u06d2 (\u0622\u0688\u0679 \u06a9\u06cc \u06a9\u0648\u0626\u06cc \u06a9\u0644\u06cc\u062f \u0646\u06c1\u06cc\u06ba \u06c1\u06d2)\u060c \u0688\u0648\u06cc\u0644\u067e\u0631 \u062e\u0648\u0634 \u06c1\u06cc\u06ba (\u0635\u0631\u0641 \u0644\u06cc\u0628\u0644 \u0634\u0627\u0645\u0644 \u06a9\u0631\u06cc\u06ba)\u060c \u0627\u0648\u0631 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0679\u06cc\u0645 \u062e\u0648\u0634 \u06c1\u06d2 (\u0645\u0632\u06cc\u062f \u0627\u0633\u0646\u0627\u062f \u06a9\u06d2 \u0627\u0646\u062a\u0638\u0627\u0645 \u06a9\u06d2 \u0679\u06a9\u0679 \u0646\u06c1\u06cc\u06ba)\u06d4<\/p>\n<p>\u06cc\u06c1\u0627\u06ba \u06c1\u0645 \u0646\u06d2 \u0627\u0633 \u0679\u06cc\u0648\u0679\u0648\u0631\u06cc\u0644 \u0645\u06cc\u06ba \u06a9\u06cc\u0627 \u06a9\u06cc\u0627 \u06c1\u06d2:<\/p>\n<ol>\n<li>\n<p>\u0645\u06cc\u06ba \u0633\u0645\u062c\u06be\u062a\u0627 \u06c1\u0648\u06ba \u06a9\u06c1 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc \u06a9\u0644\u06cc\u062f\u06cc\u06ba \u067e\u06cc\u0645\u0627\u0646\u06d2 \u067e\u0631 \u06a9\u06cc\u0648\u06ba \u0646\u0627\u06a9\u0627\u0645 \u06c1\u0648\u062a\u06cc \u06c1\u06cc\u06ba \u0627\u0648\u0631 \u0627\u0633 \u0633\u06d2 \u0633\u06cc\u06a9\u06cc\u0648\u0631\u0679\u06cc \u06a9\u06d2 \u062e\u0637\u0631\u0627\u062a \u0644\u0627\u062d\u0642 \u06c1\u0648\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0627\u067e\u0646\u06d2 \u06a9\u0644\u0633\u0679\u0631 \u0645\u06cc\u06ba \u0679\u0648\u06a9\u0646 \u062c\u0627\u0631\u06cc \u06a9\u0631\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u067e\u0631 \u0628\u06be\u0631\u0648\u0633\u06c1 \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u06cc\u06d2\u060c \u0622\u067e \u0646\u06d2 GCP \u0645\u06cc\u06ba \u0627\u06cc\u06a9 \u0648\u0631\u06a9 \u0628\u0648\u062c\u06be \u0634\u0646\u0627\u062e\u062a\u06cc \u067e\u0648\u0644 \u0627\u0648\u0631 OIDC \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0646\u0646\u062f\u06c1 \u0628\u0646\u0627\u06cc\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<li>\n<p>CEL \u0634\u0631\u0627\u0626\u0637 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u062f\u0627\u0646\u06d2 \u062f\u0627\u0631 \u0646\u0627\u0645 \u06a9\u06cc \u062c\u06af\u06c1 \u06a9\u06cc \u0633\u0637\u062d \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u06a9\u06cc \u067e\u0627\u0644\u06cc\u0633\u06cc\u0627\u06ba \u0646\u0627\u0641\u0630 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>Kyverno ClusterPolicy \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u067e\u0648\u0688\u0632 \u0645\u06cc\u06ba \u062e\u0648\u062f\u06a9\u0627\u0631 \u0637\u0648\u0631 \u067e\u0631 \u0627\u0633\u0646\u0627\u062f \u062f\u0627\u062e\u0644 \u06a9\u0631\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>IAM \u06a9\u06d2 \u06a9\u0631\u062f\u0627\u0631 \u06a9\u0648 \u0627\u06cc\u06a9 \u0645\u062a\u062d\u062f \u0634\u0646\u0627\u062e\u062a\u06cc \u0648\u0635\u0641 \u0633\u06d2 \u062c\u0648\u0691\u06cc\u06ba - \u06a9\u06c1\u06cc\u06ba \u0628\u06be\u06cc \u062f\u06cc\u0631\u067e\u0627 \u06a9\u0644\u06cc\u062f \u0646\u06c1\u06cc\u06ba\u06d4<\/p>\n<\/li>\n<li>\n<p>\u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u067e\u0648\u0688 \u0633\u06d2 GCP APIs (\u0633\u06cc\u06a9\u0631\u0679 \u0645\u06cc\u0646\u06cc\u062c\u0631\u060c \u0648\u0631\u0679\u06cc\u06a9\u0633 AI) \u06a9\u0648 \u06a9\u0627\u0644 \u06a9\u0631\u06a9\u06d2 \u0633\u06cc\u0679 \u0627\u067e \u06a9\u06cc \u062a\u0635\u062f\u06cc\u0642 \u06a9\u06cc\u06d4<\/p>\n<\/li>\n<li>\n<p>vCluster \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2\u060c \u06c1\u0645 \u0646\u06d2 \u06cc\u06c1 \u0638\u0627\u06c1\u0631 \u06a9\u06cc\u0627 \u06a9\u06c1 \u06c1\u0645\u0627\u0631\u0627 \u062d\u0644 \u06a9\u0633\u06cc \u0628\u06be\u06cc Kubernetes \u06a9\u0644\u0633\u0679\u0631 \u067e\u0631 \u06a9\u0627\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2\u06d4<\/p>\n<\/li>\n<\/ol>\n<p>\u06cc\u06c1\u0627\u06ba \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06cc \u0679\u06cc\u06a9\u0646\u0627\u0644\u0648\u062c\u06cc \u0646\u0626\u06cc \u0646\u06c1\u06cc\u06ba \u06c1\u06d2\u06d4 OIDC \u0648\u0631\u0698\u0646 1.20 \u0633\u06d2 Kubernetes \u0645\u06cc\u06ba \u0634\u0627\u0645\u0644 \u06c1\u06d2\u06d4 \u0648\u0631\u06a9 \u0644\u0648\u0688 \u0622\u0626\u06cc\u0688\u06cc\u0646\u0679\u06cc \u0627\u0644\u0627\u0626\u0646\u0633 GCP \u0645\u06cc\u06ba \u06a9\u0626\u06cc \u0633\u0627\u0644\u0648\u06ba \u0633\u06d2 \u06c1\u06cc\u06ba\u06d4 Kyverno \u0627\u0648\u0631 Terraform \u0628\u0627\u0644\u063a \u0679\u0648\u0644\u0632 \u06c1\u06cc\u06ba\u06d4 \u06cc\u06c1 \u0679\u06cc\u0648\u0679\u0648\u0631\u06cc\u0644 \u0627\u06cc\u06a9 \u0627\u062e\u062a\u062a\u0627\u0645 \u0633\u06d2 \u0622\u062e\u0631 \u062a\u06a9 \u062d\u0644 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u062a\u0627 \u06c1\u06d2 \u062c\u0633\u06d2 \u0688\u0648\u06cc\u0644\u067e\u0631 \u06a9\u0645 \u0633\u06d2 \u06a9\u0645 \u06a9\u0648\u0634\u0634 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0627\u067e\u0646\u0627 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u06cc \u062a\u0646\u0638\u06cc\u0645 \u06a9\u0648 \u063a\u06cc\u0631 \u0641\u0639\u0627\u0644 \u06a9\u0631 \u062f\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2 \u06cc\u0627 \u0627\u0633\u06d2 \u0633\u0631\u0648\u0633 \u0627\u06a9\u0627\u0624\u0646\u0679 \u06a9\u06cc\u0632 \u06a9\u0648 \u063a\u06cc\u0631 \u0641\u0639\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0636\u0631\u0648\u0631\u062a \u06c1\u06d2\u060c \u062a\u0648 \u06cc\u06c1 \u0622\u06af\u06d2 \u06a9\u0627 \u0631\u0627\u0633\u062a\u06c1 \u06c1\u06d2\u06d4 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u0648\u0631 \u06a9\u0644\u0627\u0624\u0688 \u06a9\u0644\u0633\u0679\u0631 \u0622\u062e\u0631 \u0645\u06cc\u06ba \u0627\u06cc\u06a9 \u062f\u0648\u0633\u0631\u06d2 \u06a9\u06d2 \u0633\u0627\u062a\u06be \u0645\u062d\u0641\u0648\u0638 \u0637\u0631\u06cc\u0642\u06d2 \u0633\u06d2 \u0627\u0633\u06a9\u06cc\u0644 \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba \u062c\u06cc\u0633\u0627 \u06a9\u06c1 \u0627\u0631\u0627\u062f\u06c1 \u06c1\u06d2\u06d4<\/p>\n<p><em>\u0645\u06a9\u0645\u0644 \u0646\u0641\u0627\u0630 \u0627\u06cc\u06a9 Terraform \u0645\u0627\u0688\u06cc\u0648\u0644 \u06a9\u06d2 \u0637\u0648\u0631 \u067e\u0631 \u0641\u0631\u0627\u06c1\u0645 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u06c1\u06d2 \u062c\u0633 \u0645\u06cc\u06ba Kyverno \u067e\u0627\u0644\u06cc\u0633\u06cc\u0627\u06ba \u06c1\u06cc\u06ba\u06d4<\/em> <em>github.com\/shkatara\/hybrid-platform-gcp-workload-identity-federation<\/em><\/p>\n<p>\u0627\u06af\u0631 \u0622\u067e \u06a9\u0648 \u06cc\u06c1 \u06a9\u0627\u0631\u0622\u0645\u062f \u0644\u06af\u062a\u0627 \u06c1\u06d2\u060c \u062a\u0648 \u0622\u067e https:\/\/www.linkedin.com\/in\/shubhamkatara\/\u060c https:\/\/www.youtube.com\/@kubesimplify\u060c https:\/\/www.linkedin.com\/company\/kubesimplify\/ \u067e\u0631 \u0645\u06cc\u0631\u06cc \u067e\u06cc\u0631\u0648\u06cc \u06a9\u0631 \u0633\u06a9\u062a\u06d2 \u06c1\u06cc\u06ba\u06d4<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u0627\u0633 \u0645\u0636\u0645\u0648\u0646 \u0645\u06cc\u06ba\u060c \u0622\u067e \u0633\u06cc\u06a9\u06be\u062a\u06d2 \u06c1\u06cc\u06ba \u06a9\u06c1 \u06a9\u0633 \u0637\u0631\u062d \u0627\u06cc\u06a9 \u0645\u062d\u0641\u0648\u0638\u060c \u062a\u0648\u0633\u06cc\u0639 \u067e\u0630\u06cc\u0631 \u06c1\u0627\u0626\u0628\u0631\u0688 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u06a9\u0648 \u0688\u06cc\u0632\u0627\u0626\u0646 \u0627\u0648\u0631 \u0628\u0646\u0627\u0646\u0627 \u06c1\u06d2 \u062c\u0648 \u0622\u067e \u06a9\u06d2 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 Kubernetes \u0627\u0646\u0641\u0631\u0627\u0633\u0679\u0631\u06a9\u0686\u0631 \u06a9\u0648 \u06af\u0648\u06af\u0644 \u06a9\u0644\u0627\u0624\u0688 \u067e\u0644\u06cc\u0679 \u0641\u0627\u0631\u0645 \u0633\u06d2 \u062c\u0648\u0691\u062a\u0627 \u06c1\u06d2\u06d4 \u06cc\u06c1 \u0622\u0646 \u067e\u0631\u06cc\u0645\u06cc\u0633\u0633 \u0627\u06cc\u067e\u0633 \u06a9\u0648 \u06a9\u0644\u0627\u0624\u0688 \u0633\u0631\u0648\u0633\u0632 (\u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 GPUs) \u06a9\u0648 \u06a9\u0645\u0632\u0648\u0631 \u0637\u0648\u06cc\u0644 \u0645\u062f\u062a\u06cc \u06a9\u0644\u06cc\u062f\u0648\u06ba\u060c \u062f\u0633\u062a\u06cc \u0627\u0633\u0646\u0627\u062f [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24611","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/posts\/24611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/comments?post=24611"}],"version-history":[{"count":0,"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/posts\/24611\/revisions"}],"wp:attachment":[{"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/media?parent=24611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/categories?post=24611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/umang.pk\/en_us\/wp-json\/wp\/v2\/tags?post=24611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}