[英]GCP Kubernetes not using service account for pulling docker images
I'm using the latest version of google-kube.netes (1.22.8-gke.202) in a Kube.netes managed cluster.我在 Kube.netes 托管集群中使用最新版本的 google-kube.netes (1.22.8-gke.202)。 I also have a custom service account that has access to the "Artifact Registry Reader" scope that should grant it permission to pull private images from the repository - calling this custom-service-account .我还有一个自定义服务帐户,可以访问“Artifact Registry Reader”scope,应该授予它从存储库中提取私有图像的权限 - 调用此custom-service-account 。
I've validated that the nodes themselves have the custom-service-account service account linked to them within Compute Engine.我已验证节点本身在 Compute Engine 中具有链接到它们的custom-service-account服务帐户。 Kube.netes is setup with a service account that is linked to the IAM service account with the same name through workload identity . Kube.netes 设置了一个服务帐户,该帐户通过工作负载身份链接到具有相同名称的 IAM 服务帐户。 However, when I try to spawn a pod that pulls from my private repo it fails indefinitely.但是,当我尝试生成一个从我的私人存储库中提取的 pod 时,它会无限期地失败。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 21m (x3 over 24m) default-scheduler 0/2 nodes are available: 2 node(s) were unschedulable.
Warning FailedScheduling 19m default-scheduler no nodes available to schedule pods
Normal NotTriggerScaleUp 18m (x25 over 24m) cluster-autoscaler pod didn't trigger scale-up: 1 node(s) had taint {reserved-pool: true}, that the pod didn't tolerate
Normal Scheduled 18m default-scheduler Successfully assigned default/test-service-a-deployment-5757fc5797-b54gx to gke-personal-XXXX--personal-XXXX--ac9a05b6-16sb
Normal Pulling 17m (x4 over 18m) kubelet Pulling image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest"
Warning Failed 17m (x4 over 18m) kubelet Failed to pull image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": rpc error: code = Unknown desc = failed to pull and unpack image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": failed to resolve reference "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
Warning Failed 17m (x4 over 18m) kubelet Error: ErrImagePull
Warning Failed 16m (x6 over 18m) kubelet Error: ImagePullBackOff
Normal BackOff 3m27s (x65 over 18m) kubelet Back-off pulling image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest"
I've also ssh'ed into the nodes themselves and at least by default with a regular docker pull
or crictl pull
see this same error.我还通过 ssh 进入了节点本身,至少在默认情况下使用常规docker pull
或crictl pull
看到了同样的错误。
So, the specific questions I have:所以,我的具体问题是:
> gcloud container clusters describe personal-XXXX-gke --zone us-central1-a --format="value(workloadIdentityConfig.workloadPool)"
personal-XXXX.svc.id.goog
> gcloud container node-pools describe personal-XXXX-gke-node-pool --cluster personal-XXXX-gke --format="value(config.workloadMetadataConfig.mode)" --zone us-central1-a
GKE_METADATA
> kubectl describe serviceaccount --namespace default be-service-account
Name: be-service-account
Namespace: default
Labels: <none>
Annotations: iam.gke.io/gcp-service-account: custom-service-account@personal-XXXX.iam.gserviceaccount.com
Image pull secrets: <none>
Mountable secrets: be-service-account-token-jmss9
Tokens: be-service-account-token-jmss9
Events: <none>
> gcloud iam service-accounts get-iam-policy custom-service-account@personal-XXXX.iam.gserviceaccount.com
bindings:
- members:
- serviceAccount:personal-XXXX.svc.id.goog[default/be-service-account]
role: roles/iam.workloadIdentityUser
etag: BwXjqJ9DC6A=
version: 1
在检查对工件注册表的访问时,请按照本文档检查权限和范围。
Depending on how your cluster is created, various scopes are added.根据集群的创建方式,添加了各种范围。 https://cloud.google.com/kube.netes-engine/docs/how-to/access-scopes#create_with_sa https://cloud.google.com/kube.netes-engine/docs/how-to/access-scopes#create_with_sa
In my case, I created Autopilot cluster from the console (UI) and did everything you did w.r.t linking service accounts - turns out the default service account that gets applied does not get the scope cloud-platform.在我的例子中,我从控制台 (UI) 创建了 Autopilot 集群,并做了你所做的一切 w.r.t 链接服务帐户 - 结果应用的默认服务帐户没有获得 scope 云平台。
I ended up re-creating the cluster with the right service account (non-default) for my autopilot nodes.我最终使用正确的服务帐户(非默认)为我的自动驾驶节点重新创建了集群。 https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes . https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes 。 Most likely to use the CLI for future creations.最有可能将 CLI 用于未来的创作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.