[英]Override Default Service account used by spring boot app deployed in Kubernetes
Problem statement:问题陈述:
I have deployed a spring boot app which when on starting always uses default compute engine service account credentials to authenticate the app, i have a created a seperate service account and key but not able to replace the default one.我已经部署了一个 spring 启动应用程序,它在启动时总是使用默认的计算引擎服务帐户凭据来验证应用程序,我创建了一个单独的服务帐户和密钥,但无法替换默认的。 i tried specifying the new service account in deployement.yaml by using "serviceAccountName" field but still got the error saying service account eg:"xyz" not found.
我尝试使用“serviceAccountName”字段在 deployement.yaml 中指定新服务帐户,但仍然收到错误消息,提示服务帐户,例如:“xyz”未找到。
serviceAccountName: {{.Values.serviceAccountName }} serviceAccountName:{{.Values.serviceAccountName }}
so how can i override default service account of compute engine with a specific service account and define it in deployment.yaml.那么如何使用特定服务帐户覆盖计算引擎的默认服务帐户并在部署中定义它。yaml。
if i add the credentials of new service account in app code base it will work but that is not a best practice to do so, please someone help me on resolving this issue如果我在应用程序代码库中添加新服务帐户的凭据,它将起作用,但这不是最佳做法,请有人帮我解决这个问题
snippet of my deployment.yaml file:我的部署片段。yaml 文件:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helloworld
appVersion: {{ .Values.appVersion }}
name: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
environment: {{ .Values.environment }}
spec:
containers:
- name: helloworld
image: {{ .Values.imageSha }}
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
ports:
- containerPort: 8080
env:
- name: SPRING_CONFIG_LOCATION
value: "/app/deployments/config/"
volumeMounts:
- name: application-config
mountPath: "/app/deployments/config"
readOnly: true
volumes:
- name: application-config
configMap:
name: {{ .Values.configMapName }}
items:
- key: application.properties
path: application.properties
I think you should use Workload Identity which allows to access Google Cloud
from outside.我认为您应该使用允许从外部访问
Google Cloud
的Workload Identity 。
Workload Identity is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability.
Workload Identity 是从 GKE 中运行的应用程序访问 Google Cloud 服务的推荐方法,因为它改进了安全属性和可管理性。 For information about alternative ways to access Google Cloud APIs from GKE, refer to the alternatives section below.
有关从 GKE 访问 Google Cloud API 的替代方法的信息,请参阅下面的替代部分。
Above guide is well described and I think it should resolve your issue.上面的指南描述得很好,我认为它应该可以解决您的问题。
For additional example, you can check one of the Community Tutorial - Using Kubernetes Workload Identity for client-server authorization .对于其他示例,您可以查看社区教程之一 - 使用 Kubernetes Workload Identity 进行客户端-服务器授权。
In GKE, the Workload Identity feature allows these identities to also be associated with IAM service accounts.
在 GKE 中,工作负载身份功能允许这些身份也与 IAM 服务账户相关联。 This allows a pod running as a Kubernetes service account to act as the associated service account for authorized access to Google APIs and to services that verify identity based on Google Cloud-specific OIDC.
这允许作为 Kubernetes 服务帐户运行的 pod 充当关联服务帐户,以授权访问 Google API 和基于 Google Cloud 特定 OIDC 验证身份的服务。
Both docs have examples which should help you to adjust Workload Identity
to your needs.两个文档都有示例,可以帮助您根据需要调整
Workload Identity
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.