[英]GCS write access from inside a GKE pod
I am not able to get write access to a GCS bucket from within a GKE pod.我无法从 GKE pod 中获得对 GCS 存储桶的写访问权限。
I have a GKE pod running.我有一个 GKE pod 正在运行。 I have not changed any k8s configuration regarding service accounts.
我没有更改任何有关服务帐户的 k8s 配置。 I have docker exec'd into the pod and installed gcloud/gsutil.
我已将 docker exec 放入 pod 并安装了 gcloud/gsutil。
gcloud auth list
shows a 1234-compute@developer.gserviceaccount.com entry. gcloud auth list
显示 1234-compute@developer.gserviceaccount.com 条目。 From within GCS I have added that same account as storage admin, storage legacy bucket owner, storage object creator (ie, I just tried a bunch of stuff).在 GCS 中,我添加了与存储管理员、存储旧存储桶所有者、存储对象创建者相同的帐户(即,我刚刚尝试了很多东西)。 I am able to run
gsutil ls gs://bucket
.我能够运行
gsutil ls gs://bucket
。 However when running gsutil cp file gs://bucket
, it prints:但是,当运行
gsutil cp file gs://bucket
,它会打印:
AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform
gsutil acl get gs://bucket
prints: gsutil acl get gs://bucket
打印:
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://bucket
Other things I have tried are adding the allUsers and allAuthenticatedUsers as creators and owners of the bucket, with no change.我尝试过的其他事情是将 allUsers 和 allAuthenticatedUsers 添加为存储桶的创建者和所有者,没有任何更改。 I am able to write to the bucket from my dev machine just fine.
我可以很好地从我的开发机器写入存储桶。
When I run gsutil acl get gs://bucket
from another machine, it prints the same address as an OWNER as the output from gcloud auth list
from within the pod.当我从另一台机器运行
gsutil acl get gs://bucket
,它会打印与 OWNER 相同的地址作为 pod 内gcloud auth list
的输出。
What is the special sauce I need to allow the pod to write to the bucket?我需要什么特殊的酱汁才能让 pod 写入存储桶?
The GKE cluster was created with default permissions, which only has read scope to GCS. GKE 集群是使用默认权限创建的,它只有 GCS 的读取范围。 Solutions:
解决方案:
GOOGLE_APPLICATION_CREDENTIALS
as described in https://developers.google.com/identity/protocols/application-default-credentialsGOOGLE_APPLICATION_CREDENTIALS
You need to set permissions for cluster (or better for particular node in case of Terraform):您需要为集群设置权限(或者在 Terraform 的情况下为特定节点设置更好):
oauth_scopes = [
"https://www.googleapis.com/auth/devstorage.read_write", // 'ere we go!
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append",
"https://www.googleapis.com/auth/compute",
]
Had the same issue, I had to recreated a node pool with custom security config in order to get that access.遇到了同样的问题,我必须重新创建一个带有自定义安全配置的节点池才能获得该访问权限。 Also, in my pod I mounted the SA provided in a secret (default-token-XXXXX) Then, once gcloud is installed in the pod (via docker file) works like a charm.
此外,在我的 pod 中,我安装了一个秘密(default-token-XXXXX)中提供的 SA 然后,一旦在 pod 中安装了 gcloud(通过 docker 文件),它就像一个魅力。 The key is the node-pool config and mounting the SA.
关键是节点池配置和安装 SA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.