0

我想使用工作负载身份访问服务帐户。

猫服务帐户.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  name: rao-sa
  namespace: test

我的 yaml 文件是 policy.yaml

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-sample
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[test/rao-sa]

kubectl apply -f policy.yaml
error: unable to recognize "policy.yaml": no matches for kind "IAMPolicy" in version "iam.cnrm.cloud.google.com/v1beta1"

在 YAML 文件上出现错误:版本“iam.cnrm.cloud.google.com/v1beta1”中的种类“IAMPolicy”没有匹配项

4

2 回答 2

1

这是未安装配置连接器时的常见错误,请检查步骤 7。

如何启用?

gcloud container clusters update CLUSTER_NAME \
    --update-addons ConfigConnector=ENABLED
于 2021-09-20T14:36:43.337 回答
0

以下是 IAM 政策的一些资源以及如何启用 GKE 工作负载身份

https://medium.com/bluecore-engineering/the-infrastructure-triumvirate-continuous-service-and-infrastructure-delivery-with-argo-a33a3f76dc06 https://cloud.google.com/config-connector/docs/reference /resource-docs/iam/iampolicy https://dzone.com/articles/enabling-gke-workload-identity

同时检查您的 policy.yaml 文件,我发现了一些放错位置的项目,请检查这是否有效。

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-sample
  namespace: rao-sa
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  bindings:
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[test/rao-sa]
        role: roles/iam.workloadIdentityUser
于 2021-09-20T21:19:05.143 回答