通过带有令牌的服务帐户登录到GKE [英] Login to GKE via service account with token
问题描述
我正在尝试使用服务帐户访问Google云上的Kubernetes集群,但是无法使它正常工作.我有一个带有某些Pod和Ingress的运行系统.我希望能够更新部署的映像.
I am trying to access my Kubernetes cluster on google cloud with the service account, but I am not able to make this works. I have a running system with some pods and ingress. I want to be able to update images of deployments.
我想(远程)使用这样的东西:
I would like to use something like this (remotely):
kubectl config set-cluster cluster --server="<IP>" --insecure-skip-tls-verify=true
kubectl config set-credentials foo --token="<TOKEN>"
kubectl config set-context my-context --cluster=cluster --user=foo --namespace=default
kubectl config use-context cluster
kubectl set image deployment/my-deployment boo=eu.gcr.io/project-123456/image:v1
因此,我创建了服务帐户,然后获取了秘密令牌:
So I created the service account and then get the secret token:
kubectl create serviceaccount foo
kubectl get secret foo-token-gqvgn -o yaml
但是,当我尝试在任何部署中更新映像时,都会收到:
But, when I try to update the image in any deployment, I receive:
错误:您必须登录到服务器(未经授权)
error: You must be logged in to the server (Unauthorized)
API的
IP地址我使用该地址,该地址在GKE管理中显示为群集端点IP. 有什么建议?谢谢.
IP address for API I use the address, which is shown in GKE administration as cluster endpoint IP. Any suggestions? Thanks.
推荐答案
我试图重新创建您的问题.
I have tried to recreate your problem.
我遵循的步骤
-
kubectl create serviceaccount foo
-
kubectl get secret foo-token-* -o yaml
kubectl create serviceaccount foo
kubectl get secret foo-token-* -o yaml
然后,我试图做你所做的事情
Then, I have tried to do what you have done
我用作令牌的是base64
解码令牌.
然后我尝试了这个:
$ kubectl get pods
来自服务器的错误(禁止):禁止使用pods:用户"system:serviceaccount:default:foo"无法在名称空间默认"中列出Pod:未知用户系统:serviceaccount:默认:foo"
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:foo" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:default:foo"
这给了我预期的错误.因为,我需要授予对该ServiceAccount的权限.
This gave me error as expected. Because, I need to grant permission to this ServiceAccount.
如何授予此ServiceAccount权限?我需要创建ClusterRole&具有必要权限的ClusterRoleBinding.
How can I grant permission to this ServiceAccount? I need to create ClusterRole & ClusterRoleBinding with necessary permission.
了解更多信息以了解更多信息角色-基于访问控制
Read more to learn more role-based-access-control
$ kubectl config set-credentials foo --username="admin" --password="$PASSWORD"
这将授予您管理员权限.
This will grant you admin authorization.
您需要提供群集凭据.
Username: admin
Password: -----
您将在GKE中获得此信息-> Kubernetes引擎-> {cluster}->显示凭证
You will get this info in GKE -> Kubernetes Engine -> {cluster} -> Show credential
这篇关于通过带有令牌的服务帐户登录到GKE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!