如何在 GKE Deployment.YAML 中为 Pod 指定 ServiceAccountName
[英]How to Specify ServiceAccountName for Pods in GKE Deployment.YAML
问题描述
I've configured my cluster and node pools for Workload Identity ( https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity ) but in order to get it to work, I need to also make my pods use the kubernetes service account I created for the Workload Identity.
我已经为 Workload Identity ( https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity ) 配置了我的集群和节点池,但为了让它工作,我还需要让我的 pod 使用我为 Workload Identity 创建的 kubernetes 服务帐户。
I see I can specify the serviceAccountName in a pod's YAML, but how can I do this using Google CI/CD which uses deployment.yaml?我看到我可以在 pod 的 YAML 中指定serviceAccountName ,但是如何使用使用 deployment.yaml 的 Google CI/CD 来做到这一点? Or can I somehow reference a pod's YAML for use as a spec template within my deployment.yaml?或者我可以以某种方式引用 pod 的 YAML 以用作我的 deployment.yaml 中的规范模板吗? Sorry, I am new to k8s!抱歉,我是 k8s 新手!
Ref.参考https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Essentially, I am just trying to get Workload Identity to work with my application so the GOOGLE_APPLICATION_CREDENTIALS is set by Google for use within my app!本质上,我只是想让 Workload Identity 与我的应用程序一起使用,因此 Google 设置了GOOGLE_APPLICATION_CREDENTIALS以在我的应用程序中使用!
I've tried the following in my deployment.yaml but I get the error unknown field "serviceAccountName" in io.k8s.api.core.v1.Container;我在我的 deployment.yaml 中尝试了以下操作,但unknown field "serviceAccountName" in io.k8s.api.core.v1.Container;出现了错误unknown field "serviceAccountName" in io.k8s.api.core.v1.Container; : :
spec:
replicas: 3
selector:
matchLabels:
app: my-application
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: my-application
spec:
containers:
- image: >-
gcr.io/my-project/github.com/my-org/my-repo
imagePullPolicy: IfNotPresent
name: my-application
serviceAccountName: my-k8s-svc-acct
2 个解决方案
解决方案1
3 已采纳 2021-06-17 15:09:50
serviceAccountName is a property of the pod spec object, not the container. serviceAccountName是 pod 规范对象的属性,而不是容器。 So, it should be:所以,应该是:
spec:
replicas: 3
selector:
matchLabels:
app: my-application
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: my-application
spec:
serviceAccountName: my-k8s-svc-acct
containers:
- image: >-
gcr.io/my-project/github.com/my-org/my-repo
imagePullPolicy: IfNotPresent
name: my-application
解决方案2
1 2021-06-17 15:08:28
The indentation is wrong缩进不对
it should be like this应该是这样的
spec:
containers:
- image: nginx
name: nginx
serviceAccount:
serviceAccountName:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.