1

After following the tutorial Connecting [Postgres] from Kubernetes Engine, I was able to have my app server connect to my Postgres database thru a Cloud SQL Proxy and a service account that grants the "SQL Client", "SQL Editor" and "SQL Admin" permissions.

But, after following this tutorial a second time (to create a second database, for use from another cluster), and hence creating a second service account with the same permissions, I realised that I could only connect my second Cloud SQL database using my first service account!

Every time I tried to use the second service account (which, again, grants access to the exact same 3 permissions!), I was getting couldn't connect to "project:region:instance" errors...

Context: I know that instance-based permissions are not supported by Cloud SQL yet, but I would like to have dedicated service accounts for each of my 2 databases if possible, and do not understand why a second service account with same permissions does not work.

4

1 回答 1

4

首先,您的云 sql 代理只需要Cloud SQL 客户端角色。不需要其他角色。

其次,您是否使用来自同一个 kubernetes 集群的应用服务器。您是否尝试对两个服务帐户使用 kubernetes 相同的秘密cloudsql-instance-credentials

如果是,那就是问题所在。您需要使用第二个服务帐户的新凭证 json更新cloudsql-instance-credentials密钥。

或者,您可以将两个秘密对象保留为cloudsql-instance-credentials-service-account-1cloudsql-instance-credentials-service-account-2。并且,更新配置 yml 以安装所需的秘密,如下所示,

  - name: cloudsql-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    command: ["/cloud_sql_proxy", "--dir=/cloudsql",
              "-instances=<instance_connection_name>=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-instance-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
  volumes:
    - name: cloudsql-instance-credentials
      secret:
        secretName: cloudsql-instance-credentials-service-account-2
于 2018-08-22T19:43:36.350 回答