[英]GCS read write access from the GKE Pod without credentials/auth
We created the GKE cluster with the public endpoint.我们使用公共端点创建了 GKE 集群。 The service account of the GKE cluster and Node pool has the following roles.
GKE集群和节点池的服务帐号具有以下角色。
"roles/compute.admin",
"roles/compute.viewer",
"roles/compute.securityAdmin",
"roles/iam.serviceAccountUser",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectIamAdmin",
"roles/container.admin",
"roles/artifactregistry.admin",
"roles/storage.admin"
The node pool of the GKE cluster has the following OAuth scopes GKE集群的节点池有以下OAuth范围
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/devstorage.read_write",
The private GCS bucket has the same service account as the principal, with the storage admin role.私有GCS 存储桶与主体具有相同的服务帐户,具有存储管理员角色。
When we try to read/write in this bucket from a GKE POD, we get the below error.当我们尝试从 GKE POD 读取/写入此存储桶时,我们收到以下错误。
# Read
AccessDeniedException: 403 Caller does not have storage.objects.list access to the Google Cloud Storage bucket
# Write
AccessDeniedException: 403 Caller does not have storage.objects.create access to the Google Cloud Storage object
We also checked this thread but the solution was credential oriented and couldn't help us.我们还检查了这个线程,但该解决方案是面向凭证的,无法帮助我们。 We would like to read/write without maintaining the SA auth key or any sort of credentials .
我们希望在不维护 SA 身份验证密钥或任何类型的凭据的情况下进行读/写。
Please guide what is missing here.请指导这里缺少的内容。
UPDATE : as per the suggestion by @boredabdel we checked and found that workload identity
was already enabled on the GKE cluster as well as NodePool.更新:根据@boredabdel 的建议,我们检查并发现 GKE 集群和 NodePool 上已经启用了
workload identity
。 We are using this module to create our cluster where it is already enabled by default.我们正在使用这个模块来创建我们的集群,默认情况下它已经启用。 Still, we are facing connectivity issues.
尽管如此,我们仍面临着连接问题。
Cluster Security:集群安全:
NodePool Security:节点池安全性:
This is for all who are looking for an answer to implement this solution via terraform.这适用于所有正在寻找通过 terraform 实施此解决方案的答案的人。 Please refer below:
请参考以下:
resource "kubernetes_manifest" "service_account" {
manifest = {
"apiVersion" = "v1"
"kind" = "ServiceAccount"
"metadata" = {
"name" = "KSA_NAME"
"namespace" = "NAME"
"annotations" = {
"iam.gke.io/gcp-service-account" = "GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"
}
}
"automountServiceAccountToken" = true
}
}
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "projects/PROJECT_ID/serviceAccounts/GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:${var.project_id}.svc.id.goog[NAMESPACE/KSA-NAME]",
]
}
spec:
serviceAccount: KSA-NAME
containers:
NOTE :注意:
resource "kubernetes_manifest"
method because there is an open issue for it to create via resource "kubernetes_service_account"
method where it is throwing an error stating. resource "kubernetes_manifest"
方法创建的,因为它通过resource "kubernetes_service_account"
方法创建存在一个未解决的问题,它会抛出错误声明。 Waiting for default secret of "NAMESPACE/KSA_NAME" to appear
Seems like you are trying to use the Node Service Account to authenticate to GCS.似乎您正在尝试使用节点服务帐户向 GCS 进行身份验证。 You need to passe the Service Account Key to the app you are calling the API from as described in this doc
您需要将服务帐户密钥传递给您正在调用 API 的应用程序,如本文档中所述
If you want Keyless authentication, my advice is to use Workload identity如果您想要无密钥身份验证,我的建议是使用工作负载身份
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.