使用Terraform管理GKE及其部署 [英] Managing GKE and its deployments with Terraform
问题描述
我可以使用terraform
在GKE
中部署Kubernetes
集群.
I can use terraform
to deploy a Kubernetes
cluster in GKE
.
然后,我为Kubernetes
设置了提供程序,如下所示:
Then I have set up the provider for Kubernetes
as follows:
provider "kubernetes" {
host = "${data.google_container_cluster.primary.endpoint}"
client_certificate = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_certificate)}"
client_key = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_key)}"
cluster_ca_certificate = "${base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)}"
}
默认情况下,terraform
与用户client
与Kubernetes
交互,该用户无权创建(例如)部署.因此,当我尝试使用terraform
进行更改时,会出现此错误:
By default, terraform
interacts with Kubernetes
with the user client
, which has no power to create (for example) deployments. So I get this error when I try to apply my changes with terraform
:
Error: Error applying plan:
1 error(s) occurred:
* kubernetes_deployment.foo: 1 error(s) occurred:
* kubernetes_deployment.foo: Failed to create deployment: deployments.apps is forbidden: User "client" cannot create deployments.apps in the namespace "default"
我不知道现在应该如何进行,我应该如何将此权限授予client
用户?
I don't know how should I proceed now, how should I give this permissions to the client
user?
如果将以下字段添加到提供程序中,则我可以执行部署,尽管在阅读文档之后,这些凭据似乎用于与集群的HTTP
通信,如果通过互联网进行通信则是不安全的
If the following fields are added to the provider, I am able to perform deployments, although after reading the documentation it seems these credentials are used for HTTP
communication with the cluster, which is insecure if it is done through the internet.
username = "${data.google_container_cluster.primary.master_auth.0.username}"
password = "${data.google_container_cluster.primary.master_auth.0.password}"
还有其他更好的方法吗?
Is there any other better way of doing so?
推荐答案
- 您可以使用运行terraform的服务帐户
data "google_client_config" "default" {}
provider "kubernetes" {
host = "${google_container_cluster.default.endpoint}"
token = "${data.google_client_config.default.access_token}"
cluster_ca_certificate = "${base64decode(google_container_cluster.default.master_auth.0.cluster_ca_certificate)}"
load_config_file = false
}
或
- 授予默认的客户端"权限
- 但是您需要在GKE群集提供程序上进行有效身份验证才能运行此命令:/在此处向上循环依赖
resource "kubernetes_cluster_role_binding" "default" {
metadata {
name = "client-certificate-cluster-admin"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = "client"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}
这篇关于使用Terraform管理GKE及其部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!