[英]Google Cloud, Kubernetes and Cloud SQL proxy: default Compute Engine service account issue
I have Google Cloud projects A, B, C, D. They all use similar setup for Kubernetes cluster and deployment. 我有Google Cloud项目A,B,C,D。它们都为Kubernetes集群和部署使用类似的设置。 Projects A,B and C have been build months ago.
项目A,B和C已于几个月前建成。 They all use Google Cloud SQL proxy to connect to Google Cloud SQL service.
他们都使用Google Cloud SQL代理连接到Google Cloud SQL服务。 Now when recently I started setting up the Kubernetes for project D, I get following error visible in the Stackdriver logging:
现在,当我最近开始为项目D设置Kubernetes时,在Stackdriver日志中看到以下错误:
the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credential_file parameter
I have compared the difference between the Kubernetes cluster between A,B,C and D but they appear to be same. 我比较了A,B,C和D之间的Kubernetes集群之间的差异,但它们似乎是相同的。
Here is the deployment I am using 这是我正在使用的部署
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: my-site
labels:
system: projectA
spec:
selector:
matchLabels:
system: projectA
template:
metadata:
labels:
system: projectA
spec:
containers:
- name: web
image: gcr.io/customerA/projectA:alpha1
ports:
- containerPort: 80
env:
- name: DB_HOST
value: 127.0.0.1:3306
# These secrets are required to start the pod.
# [START cloudsql_secrets]
- name: DB_USER
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: password
# [END cloudsql_secrets]
# Change <INSTANCE_CONNECTION_NAME> here to include your GCP
# project, the region of your Cloud SQL instance and the name
# of your Cloud SQL instance. The format is
# $PROJECT:$REGION:$INSTANCE
# [START proxy_container]
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command:
- sh
- -c
- /cloud_sql_proxy -instances=my-gcloud-project:europe-west1:databaseName=tcp:3306
- -credential_file=/secrets/cloudsql/credentials.json
# [START cloudsql_security_context]
securityContext:
runAsUser: 2 # non-root user
allowPrivilegeEscalation: false
# [END cloudsql_security_context]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
# [END proxy_container]
# [START volumes]
volumes:
- name: cloudsql-instance-credentials
secret:
secretName: cloudsql-instance-credentials
# [END volumes]
So it would appear that the default service account doesn't have enough permissions? 因此,似乎默认服务帐户没有足够的权限? Google Cloud doesn't allow enabling the Cloud SQL API when creating the cluster via Google Cloud console.
通过Google Cloud控制台创建集群时,Google Cloud不允许启用Cloud SQL API。
From what I have googled this issue some say that the problem was with the gcr.io/cloudsql-docker/gce-proxy image but I have tried newer versions but the same error still occurs. 从我用这个问题搜索过的人中,有人说问题出在gcr.io/cloudsql-docker/gce-proxy映像上,但是我尝试了较新的版本,但仍然会发生相同的错误。
I found solution to this problem and it was setting the service-account
argument when creating the cluster. 我找到了解决此问题的方法,并且在创建集群时正在设置
service-account
参数。 Note that I haven't tested what are the minimum required permissions for the new service account. 请注意,我尚未测试新服务帐户所需的最低权限。
Here are the steps: 步骤如下:
gcloud
to create the cluster like this using the new service account gcloud
通过新服务帐户创建集群 gcloud container clusters create my-cluster \
--zone=europe-west1-c \
--labels=system=projectA \
--num-nodes=3 \
--enable-master-authorized-networks \
--enable-network-policy \
--enable-ip-alias \
--service-account=super-service@project-D.iam.gserviceaccount.com \
--master-authorized-networks <list-of-my-ips>
Then the cluster and the deployment at least was deployed without errors. 然后,至少在没有错误的情况下部署了集群和部署。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.