3

我可以terraform使用KubernetesGKE.

然后我设置了提供程序Kubernetes如下:

provider "kubernetes" {
  host                    = "${data.google_container_cluster.primary.endpoint}"

  client_certificate      = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_certificate)}"
  client_key              = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_key)}"
  cluster_ca_certificate  = "${base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)}"
}

默认情况下,与用户terraform交互,用户无权创建(例如)部署。因此,当我尝试通过以下方式应用更改时出现此错误:Kubernetesclientterraform

Error: Error applying plan:

1 error(s) occurred:

 * kubernetes_deployment.foo: 1 error(s) occurred:

 * kubernetes_deployment.foo: Failed to create deployment: deployments.apps is forbidden: User "client" cannot create deployments.apps in the namespace "default"

我不知道我现在应该如何进行,我应该如何将此权限授予client用户?

如果将以下字段添加到提供程序,我就可以执行部署,尽管在阅读文档后似乎这些凭据用于HTTP与集群通信,如果通过互联网完成,这是不安全的。

username              = "${data.google_container_cluster.primary.master_auth.0.username}"
password              = "${data.google_container_cluster.primary.master_auth.0.password}"

还有其他更好的方法吗?

4

3 回答 3

9
  • 您可以使用运行 terraform 的服务帐户
data "google_client_config" "default" {}

provider "kubernetes" {
  host     = "${google_container_cluster.default.endpoint}"

  token = "${data.google_client_config.default.access_token}"
  cluster_ca_certificate = "${base64decode(google_container_cluster.default.master_auth.0.cluster_ca_certificate)}"

  load_config_file = false
}

或者

  • 授予默认“客户端”权限
  • 但是您需要对 GKE 集群提供程序进行有效身份验证才能在此处运行:/ ups 循环依赖项
resource "kubernetes_cluster_role_binding" "default" {
  metadata {
    name = "client-certificate-cluster-admin"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind = "ClusterRole"
    name = "cluster-admin"
  }
  subject {
    kind = "User"
    name = "client"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind = "ServiceAccount"
    name = "default"
    namespace = "kube-system"
  }
  subject {
    kind = "Group"
    name = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}
于 2019-03-05T16:49:53.160 回答
0

您需要同时提供两者。查看此示例,了解如何将 Kubernetes 提供程序与 Google 提供程序集成。

如何配置 Kubernetes 提供程序的示例:

provider "kubernetes" {
  host     = "${var.host}"
  username = "${var.username}"
  password = "${var.password}"

  client_certificate     = "${base64decode(var.client_certificate)}"
  client_key             = "${base64decode(var.client_key)}"
  cluster_ca_certificate = "${base64decode(var.cluster_ca_certificate)}"
}
于 2019-02-12T19:54:20.737 回答
0

您使用的用户似乎缺少创建部署所需的 RBAC 角色。确保用户对部署资源有正确的动词。您可以查看此角色示例以了解它。

于 2019-01-26T00:06:35.723 回答