堆栈内存溢出
  简体   繁体   English

在 Kubernetes 服务帐户中使用 Google 服务帐户密钥文件作为 GKE 工作负载身份的测试环境替代品

[英]Using a Google service account keyfile in a Kubernetes serviceaccount as a testing environment replacement for GKE workload identity

 原文  2021-04-29 01:54:15       kubernetes/ google-kubernetes-engine

问题描述

I have a GKE app that uses kubernetes serviceaccounts linked to google service accounts for api authorizations in-app.我有一个 GKE 应用程序,它使用 kubernetes 服务帐户链接到 Google 服务帐户,以在应用程序内进行 api 授权。

Up until now, to test these locally, I had two versions of my images- one with and one without a test-keyfile.json copied into them for authorization.到目前为止,为了在本地测试这些,我有两个版本的图像 - 一个有一个没有 test-keyfile.json 复制到其中进行授权。 (The production images used the serviceaccount for authorization, the test environment would ignore the serviceaccounts and instead look for a keyfile which gets copied in during the image build.) (生产镜像使用 serviceaccount 进行授权,测试环境将忽略 serviceaccounts,而是寻找在镜像构建期间复制的密钥文件。)

I was wondering if there was a way to merge the images into one, and have both prod/test use the Kubernetes serviceaccount for authorization.我想知道是否有办法将图像合并为一个,并让产品/测试都使用 Kubernetes 服务帐户进行授权。 On production, use GKE's workload identity, and in testing, use a keyfile(s) linked with or injected into a Kubernetes serviceaccount.在生产中,使用 GKE 的工作负载身份,在测试中,使用与 Kubernetes 服务帐户链接或注入的密钥文件。

Is such a thing possible?这样的事情可能吗? Is there a better method for emulating GKE workload identity on a local test environment?有没有更好的方法在本地测试环境中模拟 GKE 工作负载身份?

1 个解决方案

解决方案1
 1 已采纳  2021-05-27 10:41:03

I do not know a way of emulating workload identity on a non-Google Kubernetes cluster, but you could change your app to read the auth credentials from a volume/file or the metadata server, depending on the environment setting.我不知道在非 Google Kubernetes 集群上模拟工作负载身份的方法,但您可以更改您的应用程序以从卷/文件或元数据服务器读取身份验证凭据,具体取决于环境设置。 See this article (and particularly the code linked there ) for an example of how to authenticate using local credentials or Google SA depending on environmental variables.The article also shows how to use Pod overlays to keep the prod vs dev changes separate from the bulk of the configuration.有关如何根据环境变量使用本地凭据或 Google SA 进行身份验证的示例,请参阅这篇文章(尤其是那里链接的代码)。文章还展示了如何使用 Pod 覆盖将 prod vs dev 更改与大部分配置。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 所有命名空间的 GKE Workload Identity 服务帐号 - GKE Workload Identity service account for all namespaces 在 Kube.netes 服务上使用应用程序的工作负载身份:kube.netes - Workload identity with application on Kubernetes service:kubernetes 使用 Workload Identity 从 GKE 向 Google Cloud Firestore 进行身份验证 - Authenticating to Google Cloud Firestore from GKE with Workload Identity 跨 GCP 项目在 GKE 集群中将 Google 服务帐户与 Kubernetes 集群服务帐户绑定 - Binding Google Service Account with Kubernetes Cluster Service Account in GKE cluster across GCP projects 使用工作负载身份为 GKE 节点池绑定 GCP IAM - GCP IAM Binding for GKE Node Pool using Workload Identity 如何将GCP服务帐户添加到Kubernetes工作负载/项目 - How To Add GCP Service Account To Kubernetes Workload/Project 使用服务帐户访问GKE中的Kubernetes API - Accessing Kubernetes API in GKE using service accounts 从以下位置读取服务帐户令牌时出错:[/var/run/secrets/kubernetes.io/serviceaccount/token]。 无视 - Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring 在Kubectl中使用GKE服务帐户凭据 - Using GKE service account credentials with kubectl Openshift / kubernetes:将serviceaccount机密映射到环境变量 - Openshift/kubernetes: map serviceaccount secret to an environment variable
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM