使用Terraform管理GKE及其部署 [英] Managing GKE and its deployments with Terraform

问题描述

我可以使用terraform在GKE中部署Kubernetes集群.

I can use terraform to deploy a Kubernetes cluster in GKE.

然后，我为Kubernetes设置了提供程序，如下所示:

Then I have set up the provider for Kubernetes as follows:

provider "kubernetes" {
  host                    = "${data.google_container_cluster.primary.endpoint}"

  client_certificate      = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_certificate)}"
  client_key              = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_key)}"
  cluster_ca_certificate  = "${base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)}"
}

默认情况下，terraform与用户client与Kubernetes交互，该用户无权创建(例如)部署.因此，当我尝试使用terraform进行更改时，会出现此错误:

By default, terraform interacts with Kubernetes with the user client, which has no power to create (for example) deployments. So I get this error when I try to apply my changes with terraform:

Error: Error applying plan:

1 error(s) occurred:

 * kubernetes_deployment.foo: 1 error(s) occurred:

 * kubernetes_deployment.foo: Failed to create deployment: deployments.apps is forbidden: User "client" cannot create deployments.apps in the namespace "default"

我不知道现在应该如何进行，我应该如何将此权限授予client用户?

I don't know how should I proceed now, how should I give this permissions to the client user?

如果将以下字段添加到提供程序中，则我可以执行部署，尽管在阅读文档之后，这些凭据似乎用于与集群的HTTP通信，如果通过互联网进行通信则是不安全的

If the following fields are added to the provider, I am able to perform deployments, although after reading the documentation it seems these credentials are used for HTTP communication with the cluster, which is insecure if it is done through the internet.

username              = "${data.google_container_cluster.primary.master_auth.0.username}"
password              = "${data.google_container_cluster.primary.master_auth.0.password}"

还有其他更好的方法吗?

Is there any other better way of doing so?

推荐答案

• 您可以使用运行terraform的服务帐户

data "google_client_config" "default" {}

provider "kubernetes" {
  host     = "${google_container_cluster.default.endpoint}"

  token = "${data.google_client_config.default.access_token}"
  cluster_ca_certificate = "${base64decode(google_container_cluster.default.master_auth.0.cluster_ca_certificate)}"

  load_config_file = false
}

或

• 授予默认的客户端"权限
• 但是您需要在GKE群集提供程序上进行有效身份验证才能运行此命令:/在此处向上循环依赖

resource "kubernetes_cluster_role_binding" "default" {
  metadata {
    name = "client-certificate-cluster-admin"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind = "ClusterRole"
    name = "cluster-admin"
  }
  subject {
    kind = "User"
    name = "client"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind = "ServiceAccount"
    name = "default"
    namespace = "kube-system"
  }
  subject {
    kind = "Group"
    name = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}

这篇关于使用Terraform管理GKE及其部署的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！