通过带有令牌的服务帐户登录到GKE [英] Login to GKE via service account with token

问题描述

我正在尝试使用服务帐户访问Google云上的Kubernetes集群，但是无法使它正常工作.我有一个带有某些Pod和Ingress的运行系统.我希望能够更新部署的映像.

I am trying to access my Kubernetes cluster on google cloud with the service account, but I am not able to make this works. I have a running system with some pods and ingress. I want to be able to update images of deployments.

我想(远程)使用这样的东西:

I would like to use something like this (remotely):

kubectl config set-cluster cluster --server="<IP>" --insecure-skip-tls-verify=true
kubectl config set-credentials foo --token="<TOKEN>"
kubectl config set-context my-context --cluster=cluster --user=foo --namespace=default
kubectl config use-context cluster
kubectl set image deployment/my-deployment boo=eu.gcr.io/project-123456/image:v1

因此，我创建了服务帐户，然后获取了秘密令牌:

So I created the service account and then get the secret token:

kubectl create serviceaccount foo
kubectl get secret foo-token-gqvgn -o yaml

但是，当我尝试在任何部署中更新映像时，都会收到:

But, when I try to update the image in any deployment, I receive:

错误:您必须登录到服务器(未经授权)

error: You must be logged in to the server (Unauthorized)

API的

IP地址我使用该地址，该地址在GKE管理中显示为群集端点IP. 有什么建议?谢谢.

IP address for API I use the address, which is shown in GKE administration as cluster endpoint IP. Any suggestions? Thanks.

推荐答案

我试图重新创建您的问题.

I have tried to recreate your problem.

我遵循的步骤

• kubectl create serviceaccount foo
• kubectl get secret foo-token-* -o yaml

• kubectl create serviceaccount foo
• kubectl get secret foo-token-* -o yaml

然后，我试图做你所做的事情

Then, I have tried to do what you have done

我用作令牌的是base64解码令牌.

然后我尝试了这个:

$ kubectl get pods

来自服务器的错误(禁止):禁止使用pods:用户"system:serviceaccount:default:foo"无法在名称空间默认"中列出Pod:未知用户系统:serviceaccount:默认:foo"

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:foo" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:default:foo"

这给了我预期的错误.因为，我需要授予对该ServiceAccount的权限.

This gave me error as expected. Because, I need to grant permission to this ServiceAccount.

如何授予此ServiceAccount权限?我需要创建ClusterRole&具有必要权限的ClusterRoleBinding.

How can I grant permission to this ServiceAccount? I need to create ClusterRole & ClusterRoleBinding with necessary permission.

了解更多信息以了解更多信息角色-基于访问控制

Read more to learn more role-based-access-control

$ kubectl config set-credentials foo --username="admin" --password="$PASSWORD"

这将授予您管理员权限.

This will grant you admin authorization.

您需要提供群集凭据.

Username: admin
Password: -----

您将在GKE中获得此信息-> Kubernetes引擎-> {cluster}->显示凭证

You will get this info in GKE -> Kubernetes Engine -> {cluster} -> Show credential

这篇关于通过带有令牌的服务帐户登录到GKE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！