所有命名空间的 GKE Workload Identity 服务帐号
[英]GKE Workload Identity service account for all namespaces
问题描述
I'm following the guide to setup GCP's Workload Identity and have it working for a service account configured against the default Kubernetes namespace as below:
我正在按照指南设置 GCP 的工作负载标识,并使其适用于针对默认 Kubernetes 命名空间配置的服务帐户,如下所示:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:[PROJECT_ID].svc.id.goog[default/[KSA_NAME]]" \
[GSA_NAME]@[PROJECT_ID].iam.gserviceaccount.com
I'm wondering if there is a way to create the binding for all k8s namespaces;我想知道是否有办法为所有 k8s 命名空间创建绑定; something like below, where I've replaced the default namespace with * :像下面这样,我用*替换了默认命名空间:
--member "serviceAccount:[PROJECT_ID].svc.id.goog[*/[KSA_NAME]]"
Is there any way to do this?有没有办法做到这一点?
1 个解决方案
解决方案1
0 2020-01-15 01:13:46
There is no way to set all namespaces to a Kubernetes Service Account(KSA).无法将所有命名空间设置为 Kubernetes 服务帐户 (KSA)。 Maybe you would have to get each namespace and doing the binding for each namespace, an automation script could help in the process to do it n times (1 time for each namespace).也许您必须获取每个命名空间并为每个命名空间进行绑定,自动化脚本可以帮助在此过程中执行 n 次(每个命名空间 1 次)。
You can get only namespaces column name using the following kubectl command:您只能使用以下 kubectl 命令获取命名空间列名:
kubectl get ns --all-namespaces --no-headers -o custom-columns=":metadata.name"
Getting something like this:得到这样的东西:
default
kube-public
kube-system
Which can be used to iterate them using a binding automation script.可用于使用绑定自动化脚本迭代它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.