无法通过具有 Workload Identity 的 GKE 连接到 Cloud SQL 代理
[英]Cannot connect to Cloud SQL Proxy through GKE with Workload Identity
问题描述
I am following the Google Cloud Platform's guide for connecting to a Cloud SQL instance through a GKE cluster using Cloud SQL Proxy and a Public IP address ( https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine ). 
I am following the Google Cloud Platform's guide for connecting to a Cloud SQL instance through a GKE cluster using Cloud SQL Proxy and a Public IP address ( https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine )。 However, after trying to deploy my application I get the following error in my container logs.但是,在尝试部署我的应用程序后,我的容器日志中出现以下错误。
{ Error: connect ECONNREFUSED 127.0.0.1:5432
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1107:14)
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '127.0.0.1',
port: 5432 }
Followed by the error message其次是错误信息
2021/02/01 05:35:31 the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credential_file parameter
In addition (and I assume related) when I check my compute engine for the node in the cluster I see that the Cloud SQL Cloud API access scope is disabled.此外(我假设相关)当我检查集群中节点的计算引擎时,我看到云 SQL 云 API 访问 scope 被禁用。 Is there a way to enable this?有没有办法启用它?
I am aware that there are multiple ways to connect to a Cloud SQL Instance through a GKE cluster, however, I would like to use workload identity over a credentials file.我知道有多种方法可以通过 GKE 集群连接到 Cloud SQL 实例,但是,我想通过凭证文件使用工作负载身份。
2 个解决方案
解决方案1
1 2022-08-17 21:39:42
I've faced the similar exception while following the guide Connect to Cloud SQL for MySQL from Google Kubernetes Engine在遵循Google Kubernetes 引擎的 MySQL 的指南连接到云 SQL时,我遇到了类似的异常
Finally, it has turned out, that Workload Identity was not enabled fully on my Kubernetes cluster.最后,事实证明,我的 Kubernetes 集群上没有完全启用 Workload Identity。 So, in case of using Workload Identity approach, you should ensure:因此,如果使用 Workload Identity 方法,您应该确保:
Workload Identity is enabled in your cluster settings .
Workload Identity 在您的集群设置中启用。 This was turned on in my case.在我的情况下,这是打开的。Your node pool is also updated to use Workload Identity.
您的节点池也已更新为使用 Workload Identity。 If not, execute the following:如果没有,请执行以下操作:
gcloud container node-pools update NODEPOOL_NAME \
--cluster=CLUSTER_NAME \
--zone=YOUR_CLUSTER_ZONE or --region=YOUR_CLUSTER_REGION \
--workload-metadata=GKE_METADATA
After these steps my gke-sql deployment became green.在这些步骤之后,我的 gke-sql 部署变为绿色。
解决方案2
0 已采纳 2021-02-02 08:43:11
If you don't use the default service account on your Compute Engine VM, you don't need to play with the scope of the VM.如果您不在 Compute Engine 虚拟机上使用默认服务帐户,则无需使用虚拟机的 scope。 The scope are enforced only with the Compute engine default service account, with custom service account, they aren't. scope 仅使用计算引擎默认服务帐户强制执行,使用自定义服务帐户,它们不是。
If you use Workload identity on your cluster, it's the same thing (because it's not the Compute Engine default service account which is used but a custom one).如果您在集群上使用工作负载身份,则情况相同(因为使用的不是 Compute Engine 默认服务帐户,而是自定义服务帐户)。 And yes prefer this to Service Account key file.是的,比服务帐户密钥文件更喜欢这个。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.