运行 kubelet cloudbuilder 时 Cloudbuild 出现问题
Cloudbuild having issue when running the kubelet cloudbuilder
我正在尝试使用 Google 云提供商 CloudBuild 将新更改部署到 kubernetes 集群。每当我进行一些更改时,触发器都可以正常工作并开始新构建,但这是我遇到的问题 cloudbuild.yaml.
cloudbuild.yaml
steps:
#step1
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image', '.' ]
#step 2
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image']
#step 3 for testing
name: 'gcr.io/cloud-builders/kubectl'
args: ['get', 'pods']
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
#STEP-4
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'
第 1 步和第 2 步工作正常,但问题出在第 3 步,出于测试目的,我只是 运行 get pods命令来测试它是否有效。这是我在日志中遇到的问题。
Running: gcloud container clusters get-credentials --project="journeyfoods-io" --zone="us-central1-a" "cloudbuild-test"
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/XXXX/zones/us-central1-a/clusters/cloudbuild-test".
What permissions is it looking for? Do I need to do some
authentication before running the steps or What exactly am I missing?
Cloud Build 构建的步骤是使用 [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com 服务帐户执行的。来自 Cloud Build documentation page 关于这个话题:
When you enable the Cloud Build API, the service account is
automatically created and granted the Cloud Build Service Account role
for your project. This role is sufficient for several tasks,
including:
- Fetching code from your project's Cloud Source Repository
- Downloading files from any Cloud Storage bucket owned by your project
- Saving build logs in Cloud Logging
- Pushing Docker images to Container Registry
- Pulling base images from Container Registry
但是这个服务账号默认没有某些操作的权限(特别是默认不授予container.clusters.get权限)。所以你需要 grant it with a proper IAM role. In your case the Kubernetes Engine Developer role contains the container.clusters.get permission as you can see in this page.
我正在尝试使用 Google 云提供商 CloudBuild 将新更改部署到 kubernetes 集群。每当我进行一些更改时,触发器都可以正常工作并开始新构建,但这是我遇到的问题 cloudbuild.yaml.
cloudbuild.yaml
steps:
#step1
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image', '.' ]
#step 2
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image']
#step 3 for testing
name: 'gcr.io/cloud-builders/kubectl'
args: ['get', 'pods']
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
#STEP-4
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'
第 1 步和第 2 步工作正常,但问题出在第 3 步,出于测试目的,我只是 运行 get pods命令来测试它是否有效。这是我在日志中遇到的问题。
Running: gcloud container clusters get-credentials --project="journeyfoods-io" --zone="us-central1-a" "cloudbuild-test"
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/XXXX/zones/us-central1-a/clusters/cloudbuild-test".
What permissions is it looking for? Do I need to do some authentication before running the steps or What exactly am I missing?
Cloud Build 构建的步骤是使用 [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com 服务帐户执行的。来自 Cloud Build documentation page 关于这个话题:
When you enable the Cloud Build API, the service account is automatically created and granted the Cloud Build Service Account role for your project. This role is sufficient for several tasks, including:
- Fetching code from your project's Cloud Source Repository
- Downloading files from any Cloud Storage bucket owned by your project
- Saving build logs in Cloud Logging
- Pushing Docker images to Container Registry
- Pulling base images from Container Registry
但是这个服务账号默认没有某些操作的权限(特别是默认不授予container.clusters.get权限)。所以你需要 grant it with a proper IAM role. In your case the Kubernetes Engine Developer role contains the container.clusters.get permission as you can see in this page.