授予Kubernetes集群中的pod权限以访问Google存储(RBAC / IAM)
[英]Give pod in Kubernetes cluster rights to access Google storage (RBAC/IAM)
问题描述
I was doing some research, but could not really find an answer in the K8s documentation. 
我正在做一些研究,但是在K8s文档中找不到真正的答案。 Is it possible to orchestrate that certain pods in a Kubernetes cluster have access to other certain resources outside of the cluster without giving the permissions to the whole cluster? 是否可以安排Kubernetes集群中的某些Pod可以访问集群外的其他某些资源而无需授予整个集群的权限?
For example: A pod accesses data from Google storage. 例如:Pod从Google存储访问数据。 To not hard code some credentials I want it to be able to access it via RBAC/IAM, but on the other hand I do not want another pod in the cluster to be able to access the same storage. 为了不对某些凭据进行硬编码,我希望它能够通过RBAC / IAM访问它,但是另一方面,我不希望集群中的另一个Pod能够访问相同的存储。
This is necessary as users interact with those pods and the data in the storages have privacy restrictions. 由于用户与这些容器进行交互,并且存储中的数据具有隐私限制,因此这是必需的。
The only way I see so far is to create a service account for that resource and pass the credentials of the service account to the pod. 到目前为止,我看到的唯一方法是为该资源创建一个服务帐户,并将该服务帐户的凭据传递到Pod。 So far I am not really satisfied with this solution, as passing around credentials seems to be insecure to me. 到目前为止,我对这种解决方案并不十分满意,因为传递证书对我来说似乎是不安全的。
1 个解决方案
解决方案1
0 2019-01-15 10:41:57
Unfortunately, there is only one way to do this, and you wrote it looks insecure for you. 不幸的是,只有一种方法可以做到这一点,而您写的对您来说似乎并不安全。 I found an example in documentation and they use the way where you store credential of service account in secret and then use it in pod from secret. 我在文档中找到了一个示例,他们使用了以下方式:将服务帐户的凭据秘密存储,然后从秘密中的pod中使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.