我需要为GKE节点池配置以从同一项目的私有GCR存储库中提取的最低权限是什么? [英] What's the minimal permissions I need to configure for a GKE node pool to pull from a private GCR repo in the same project?
问题描述
我试图将我的GKE集群配置为从同一项目中的私有GCR存储库中提取.我未使用OAuth范围,但已关联最低具有默认节点池的特权服务帐户,并为其提供了roles/storage.objectViewer权限.
I am trying to configure my GKE cluster to pull from a private GCR repo in the same project. I am not using OAuth scopes but have associated a least privilege service account with the default node pool and provided it with the roles/storage.objectViewer permission.
但是,尝试访问此图像时,我仍然收到以下消息:
Failed to pull image "eu.gcr.io/<project>/<image>": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
However, I am still receiving the following when trying to access this image:
Failed to pull image "eu.gcr.io/<project>/<image>": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
我还需要配置 imagePullSecrets 还是roles/storage.objectViewer权限应该足够?
Do I also need to configure imagePullSecrets or should the roles/storage.objectViewer permission be sufficient?
推荐答案
此问题的根本原因是未在群集实例上设置访问(OAuth)范围,从而阻止了服务帐户按预期工作.
The root cause of this issue was not setting access (OAuth) scopes on the cluster instances preventing the service account from working as intended.
来自GCP关于计算服务帐户的文档:
From the GCP docs about Compute service accounts :
您必须在实例上设置访问范围以授权访问.
创建虚拟机实例时,不能仅在服务帐户上设置IAM角色并忽略访问范围.服务帐户具有的访问级别取决于访问范围和IAM角色,因此您必须同时配置访问范围和IAM角色,服务帐户才能正常工作.
You cannot set only IAM roles on the service account and omit access scopes when creating the virtual machine instance. The level of access a service account has is determined by a combination of access scopes and IAM roles so you must configure both access scopes and IAM roles for the service account to work properly.
可以在 ="nofollow noreferrer">此处,此处.然后,可以按照此处.
The minimal scopes required when accessing private images in GCR can be found here with the meaning of these scopes found here. A least privilege service account for the cluster nodes can then be created following the instructions here.
此处中所述将https://www.googleapis.com/auth/cloud-platform范围授予授权访问所有Cloud Platform服务的群集节点,然后通过节点服务帐户上的IAM角色限制访问.
As described here an alternative would be to only grant the https://www.googleapis.com/auth/cloud-platform scope to the cluster nodes which authorises access to all Cloud Platform services and then limit access through IAM roles on node service accounts.
通过如上所述配置群集节点,不需要imagePullSecrets即可从同一项目的GCR中提取私有映像.
By configuring the cluster nodes as above, imagePullSecrets are not required for pulling private images from GCR in the same project.
这篇关于我需要为GKE节点池配置以从同一项目的私有GCR存储库中提取的最低权限是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
