[英]GCP IAM Binding for GKE Node Pool using Workload Identity
I am scheduling jobs using Cloud Composer running tasks in Kubernetes.我正在使用 Cloud Composer 在 Kubernetes 中运行任务来安排作业。 I have setup a new node pool in the same GKE as composer and using this to run the Kubernetes tasks.
我已经在与 composer 相同的 GKE 中设置了一个新节点池,并使用它来运行 Kubernetes 任务。 In that node pool I'm using the default service account but binding the account to the same service account as the Composer node pool, using an IAM policy binding, and enabling workload identity.
在该节点池中,我使用默认服务帐户,但将该帐户绑定到与 Composer 节点池相同的服务帐户,使用 IAM 策略绑定并启用工作负载身份。
However I can see from the errors that the kubernetes service account is lacking permissions for some stuff that the composer service account does have access to.但是,我可以从错误中看到 kubernetes 服务帐户对作曲家服务帐户确实有权访问的某些内容缺乏权限。 Which doesn't make sense since the kubernetes service account has an IAM Policy binding to the composer service account, so they should have exactly same permissions.
这是没有意义的,因为 kubernetes 服务帐户具有与作曲家服务帐户绑定的 IAM 策略,因此它们应该具有完全相同的权限。 But for whatever reason this is not true.
但无论出于何种原因,这都是不正确的。 Any tips on where to look are greatly appreciated...
任何关于在哪里看的提示都非常感谢......
Enabling the workload identity on the nodepool was the solution.在节点池上启用工作负载身份是解决方案。 Using terraform the solution looks like this:
使用 terraform 的解决方案如下所示:
resource "google_container_node_pool" "google_container_node_pool_name" {
workload_metadata_config {
mode = "GKE_METADATA"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.