具有基于terraform的服务帐户的gcr.io上的GKE权限问题 [英] GKE permission issue on gcr.io with service account based on terraform

问题描述

我遇到了从gcr.io获取容器的问题

I am running into problems getting my containers from gcr.io

$ kubectl get po
NAME                              READY   STATUS             RESTARTS   AGE
api-deployment-74d8cf8768-x8bsk   0/2     ImagePullBackOff   4          2m43s

我使用以下yml文件(deployment.yml)创建这些部署

I create these deployments with the following yml file (deployment.yml)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      component: api
  template:
    metadata:
      labels:
        component: api
    spec:
      containers:
      - name: api
        image: eu.gcr.io/api:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 5060

来自 GKE-ErrImagePull从Google容器注册表中提取猜测这主要是权限问题.

from GKE - ErrImagePull pulling from Google Container Registry I am guessing this is mostly a permission issue.

如果我这样做

kubectl describe pod api-deployment-74d8cf8768-x8bsk

我知道

rpc error: code = Unknown desc = Error response from daemon: pull access denied for eu.gcr.io/<project-dev>/api, repository does not exist or may require 'docker login': denied: Permission denied for "latest" from request "/v2/<project-dev>/api/manifests/latest"

但是，目前尚不清楚如何使用terraform设置适当的服务帐户.

However, it is not clear how to set the appropriate service-account using terraform.

我的设置如下.我在GCP(terraform-admin)中使用服务帐户创建了terraform管理项目

My set-up is as follows. I created a terraform administration project in GCP (terraform-admin) with a service account

tf-admin@terraform-admin.iam.gserviceaccount.com

包含远程地形状态等.服务帐户具有许多角色，例如:

that contains the remote terraform state etc. The service-account has numerous roles such as:

Compute Network Admin
Kubernetes Engine Cluster Admin
...

然后，我创建实际的开发项目project-dev(使用该服务帐户的凭据).在project-dev中，tf-admin@terraform-admin.iam.gserviceaccount.com也是一个IAM帐户作为

Then I create my actual development project project-dev (using the credentials of that service-account). In project-dev tf-admin@terraform-admin.iam.gserviceaccount.com is also an iam account as an

Owner
Compute Network Admin
Kubernetes Engine Cluster Admin

但是，它不是服务帐户.我看到的唯一服务帐户是

However, it is not a service account. The only service account I see is

<project-dev-ID>-compute@developer.gserviceaccount.com

这是一个"Compute Engine默认服务帐户"，可能没有适当的权限.在project-dev上，我还有一个包含我的私有容器的容器注册表.

which is a "Compute Engine default service account" that probably does not have the appropriate permissions. On project-dev I also have the container registry that contains my private containers.

如上所述，我使用Terraform创建了我的GKE集群.以下是我的(缩写)yml文件.

As said, I create my GKE cluster using Terraform. Below is my (abbreviated) yml file.

resource "google_container_cluster" "primary" {
  name     = "gke-cluster"
  location = "${var.region}-b"

  node_locations = [
    "${var.region}-c",
    "${var.region}-d",
  ]

  node_version       = var.node_version
  initial_node_count = 3
  network            = var.vpc_name
  subnetwork         = var.subnet_name

  addons_config {

    horizontal_pod_autoscaling {
      disabled = false
    }

  }

  master_auth {
    username = 'user'
    password = 'password'
  }

  node_config {

    # I HAVE TRIED ADDING THIS, BUT IT RESULT IN AN ERROR
    # Error: googleapi: Error 400: The user does not have access to service account 
    # service_account = "tf-admin@terraform-admin.iam.gserviceaccount.com"

    oauth_scopes = [
      "https://www.googleapis.com/auth/compute",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
    ]

    labels = {
      env = var.gke_label["${terraform.workspace}"]
    }

    disk_size_gb = 10
    machine_type = var.gke_node_machine_type
    tags         = ["gke-node"]
  }
}

现在，我应该尝试(如果可以，如何)将tf-admin服务帐户添加为project-dev中的服务帐户，还是应该向project-dev中添加特定的服务帐户(同样，如何?)kubernetes吗?

Now, should I try (and if so, how) to add my tf-admin service account as a service account in project-dev or should I add a specific service account (again, how?) to the project-dev for kubernetes?

推荐答案

您可以使用具有所有必需条件的默认计算服务帐户< projectID> -compute@developer.gserviceaccount.com 访问GCR的权限.只需确保为群集使用默认范围，或确保已启用gcr范围以及存储读取权限即可.

You can use the default compute service account <projectID>-compute@developer.gserviceaccount.com which does have all the required permissions to access GCR. Just make sure you use the default scopes for the cluster or make sure the gcr scopes are enabled along with storage read permissions.

或者，您可以使用Terraform创建具有足够权限(例如存储查看器角色)的服务帐户，然后将该服务帐户分配给节点池.在这种情况下，您需要将oauth_scopes设置为cloud_platform，以确保作用域不会干扰IAM权限.

Alternatively, you can use Terraform to create a service account with sufficient permissions (such as the storage viewer role) and then assign that service account to the node pool. In this case, you'll want to set the oauth_scopes to cloud_platform to ensure the scopes don't interfere with the IAM permissions.

您可以查看默认的GKE范围

You can view the default GKE scopes here

这篇关于具有基于terraform的服务帐户的gcr.io上的GKE权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！