跨 GCP 项目在 GKE 集群中将 Google 服务帐户与 Kubernetes 集群服务帐户绑定
[英]Binding Google Service Account with Kubernetes Cluster Service Account in GKE cluster across GCP projects
问题描述
I've built a Google Kubernetes Engine (GKE) cluster in a GCP project.
我在 GCP 项目中构建了一个 Google Kubernetes Engine (GKE) 集群。
According to the different use cases of applications running on the cluster, I associated the applications with the different service accounts and the different granted permissions.根据集群上运行的应用程序的不同用例,我将应用程序与不同的服务帐户和不同的授予权限相关联。 To do so, I bound Google Service Account (GSA) with the Kubernetes Cluster Service Account (KSA) as follows:为此,我将 Google 服务帐户 (GSA) 与 Kubernetes 集群服务帐户 (KSA) 绑定如下:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
kubectl annotate serviceaccount \
--namespace K8S_NAMESPACE \
KSA_NAME \
iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#option_2_node_pool_modification参考: https : //cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#option_2_node_pool_modification
Everything I have explained works normally.我解释的一切正常。
Currently, there are many GKE clusters in different projects.目前,在不同的项目中有很多 GKE 集群。 Furthermore, the service accounts assigned with the applications are supposed to be created in the same project that hosts the GKE clusters.此外,分配给应用程序的服务帐户应该在托管 GKE 集群的同一项目中创建。 I am planning to do the GSA centralisation for KSA into one GCP project.我计划将 KSA 的 GSA 集中到一个 GCP 项目中。
Questions问题
Would it be possible to build a GKE cluster in a project and create a GSA for an application running on the GKE cluster in another project?
是否可以在一个项目中构建 GKE 集群并为另一个项目中在 GKE 集群上运行的应用程序创建 GSA?If so, what roles do I have to grant the GSA associated with the GKE cluster?
如果是,我必须授予与 GKE 集群关联的 GSA 什么角色? in order to access the GSAs in the other project and bind them with KSA.以便访问其他项目中的 GSA 并将它们与 KSA 绑定。
Note : This thread is only about the Google Service Account (GSA) associated with the application running on a GKE cluster , not about the Google Service Account (GSA) associated with the GKE cluster.注意:此线程仅涉及与 GKE 集群上运行的应用程序关联的Google 服务帐户 (GSA) ,而不涉及与 GKE 集群关联的 Google 服务帐户 (GSA)。
And about how to bind Google Service Account (GSA) in a GCP project with Kubernetes Cluster Service Account (KSA) in the GKE cluster in another GCP project .以及如何将一个 GCP 项目中的 Google Service Account (GSA) 与另一个 GCP 项目中 GKE 集群中的 Kubernetes Cluster Service Account (KSA) 绑定。
1 个解决方案
解决方案1
0 2021-07-21 10:32:15
This should be possible.这应该是可能的。 You can definitely create service accounts in one project and attach them to resources in another project.您绝对可以在一个项目中创建服务帐户并将它们附加到另一个项目中的资源。
In the project which "hosts" your service account(s):在“托管”您的服务帐户的项目中:
- ensure that the
iam.disableCrossProjectServiceAccountUsageconstraint is NOT enforced for the project (this is done by updating the organization policy for the project)确保iam.disableCrossProjectServiceAccountUsage项目实施iam.disableCrossProjectServiceAccountUsage约束(这是通过更新项目的组织政策来完成的) - I believe you will also need to grant
roles/iam.serviceAccountTokenCreatorto the GSA associated with each cluster as well.我相信您还需要将roles/iam.serviceAccountTokenCreator授予与每个集群关联的 GSA。
See https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-different-project请参阅https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-different-project
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.