1

我正在 GKE 中开发 Kubernetes CronJob 以从 GCP Cloud SQL 导出 SQL 数据库。我有一个 GCP Cloud SQL 实例,其 Google 服务帐户为p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com. 如果我向此服务帐户添加访问和创建存储桶对象的权限,则运行该gcloud sql export sql ...命令有效:数据库将导出到我的存储桶。

但是,我想做的是使用Workload Identity将 Kubernetes 服务帐户绑定到p848827...Google 服务帐户,以便 CronJob 可以将 Cloud SQL 数据库导出到我的存储桶。我尝试通过运行以下命令来做到这一点:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[K8_NAMESPACE/K8_SERVICE_ACCOUNT]" \
  p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com

(当然,我用适合我项目的值替换了PROJECT_IDK8_NAMESPACE和。)K8_SERVICE_ACCOUNT

这导致

ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Service account projects/PROJECT_ID/serviceAccounts/p848827672298-eef1pd@gcp-sa-cloud-sql.iam.gserviceaccount.com does not exist.

如何将 Cloud SQL 服务帐号绑定到我的 Kubernetes 服务帐号?

4

1 回答 1

1

希望您的 API 已启用,请尝试禁用和启用 API 一旦遇到类似问题并有效:gcloud services enable compute.googleapis.com https ://dzone.com/articles/enabling-gke-workload-identity

如果你有一个 serviceaccount JSON 文件,你可以直接将它注入到 POD 中,也可以作为卷挂载密码。

kubectl create secret generic echo --from-file service-account.json

现在假设您正在使用秘密注入部署应用程序

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo
  labels:
    app: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  template:
    metadata:
      labels:
        app: echo
      name: echo
    spec:
      containers:
        - name: echo
          image: "gcr.io/hightowerlabs/echo"
          env:
            - name: "GOOGLE_APPLICATION_CREDENTIALS"
              value: "/var/run/secret/cloud.google.com/service-account.json"
            - name: "PROJECT_ID"
              valueFrom:
                configMapKeyRef:
                  name: echo
                  key: project-id
            - name: "TOPIC"
              value: "echo"
          volumeMounts:
            - name: "service-account"
              mountPath: "/var/run/secret/cloud.google.com"
            - name: "certs"
              mountPath: "/etc/ssl/certs"
      volumes:
        - name: "service-account"
          secret:
            secretName: "echo"
        - name: "certs"
          hostPath:
            path: "/etc/ssl/certs"

示例:https ://github.com/kelseyhightower/gke-service-accounts-tutorial#google-cloud-service-accounts-with-google-container-engine-gke---tutorial

于 2021-09-12T17:39:23.257 回答