GKE:Config Connector 的服务帐户缺少权限
GKE: Service account for Config Connector lacks permissions
我正在尝试启动 Config Connector 并 运行在我的 GKE 项目上使用并关注 this getting started guide.
到目前为止,我已经启用了适当的 API:
> gcloud services enable cloudresourcemanager.googleapis.com
创建了我的服务帐户并添加了策略绑定:
> gcloud iam service-accounts create cnrm-system
> gcloud iam service-accounts add-iam-policy-binding ncnrm-system@test-connector.iam.gserviceaccount.com --member="serviceAccount:test-connector.svc.id.goog[cnrm-system/cnrm-controller-manager]" --role="roles/iam.workloadIdentityUser"
> kubectl wait -n cnrm-system --for=condition=Ready pod --all
注释了我的命名空间:
> kubectl annotate namespace default cnrm.cloud.google.com/project-id=test-connector
然后 运行 通过尝试在示例中应用 Spanner yaml:
~ >>> kubectl describe spannerinstance spannerinstance-sample
Name: spannerinstance-sample
Namespace: default
Labels: label-one=value-one
Annotations: cnrm.cloud.google.com/management-conflict-prevention-policy: resource
cnrm.cloud.google.com/project-id: test-connector
API Version: spanner.cnrm.cloud.google.com/v1beta1
Kind: SpannerInstance
Metadata:
Creation Timestamp: 2020-09-18T18:44:41Z
Generation: 2
Resource Version: 5805305
Self Link: /apis/spanner.cnrm.cloud.google.com/v1beta1/namespaces/default/spannerinstances/spannerinstance-sample
UID:
Spec:
Config: northamerica-northeast1-a
Display Name: Spanner Instance Sample
Num Nodes: 1
Status:
Conditions:
Last Transition Time: 2020-09-18T18:44:41Z
Message: Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
Reason: UpdateFailed
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning UpdateFailed 6m41s spannerinstance-controller Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
我不太确定这里发生了什么,因为我的 cnrm 服务帐户拥有我的集群所在项目的所有权,并且我启用了指南中列出的 API。
CC pods 本身看起来很健康:
~ >>> kubectl wait -n cnrm-system --for=condition=Ready pod --all
pod/cnrm-controller-manager-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-58cb6c9fc-lf9nt condition met
pod/cnrm-webhook-manager-7658bbb9-kxp4g condition met
任何对此的见解将不胜感激!
根据您发布的错误消息,我认为这可能是您的 GKE scopes.
中的错误。
要 GKE 访问其他 GCP API,您必须在创建集群时允许此访问。您可以使用以下命令检查启用的范围:
gcloud container clusters describe <cluster-name> 并在结果中查找 oauthScopes.
Here 您可以看到 Cloud Spanner 的范围名称,您必须启用范围 https://www.googleapis.com/auth/cloud-platform 作为最低权限。
要在 GUI 中验证,您可以在以下位置查看权限:Kubernetes Engine > <Cluster-name> > 展开 permissions 部分并找到 Cloud Platform
我正在尝试启动 Config Connector 并 运行在我的 GKE 项目上使用并关注 this getting started guide.
到目前为止,我已经启用了适当的 API:
> gcloud services enable cloudresourcemanager.googleapis.com
创建了我的服务帐户并添加了策略绑定:
> gcloud iam service-accounts create cnrm-system
> gcloud iam service-accounts add-iam-policy-binding ncnrm-system@test-connector.iam.gserviceaccount.com --member="serviceAccount:test-connector.svc.id.goog[cnrm-system/cnrm-controller-manager]" --role="roles/iam.workloadIdentityUser"
> kubectl wait -n cnrm-system --for=condition=Ready pod --all
注释了我的命名空间:
> kubectl annotate namespace default cnrm.cloud.google.com/project-id=test-connector
然后 运行 通过尝试在示例中应用 Spanner yaml:
~ >>> kubectl describe spannerinstance spannerinstance-sample
Name: spannerinstance-sample
Namespace: default
Labels: label-one=value-one
Annotations: cnrm.cloud.google.com/management-conflict-prevention-policy: resource
cnrm.cloud.google.com/project-id: test-connector
API Version: spanner.cnrm.cloud.google.com/v1beta1
Kind: SpannerInstance
Metadata:
Creation Timestamp: 2020-09-18T18:44:41Z
Generation: 2
Resource Version: 5805305
Self Link: /apis/spanner.cnrm.cloud.google.com/v1beta1/namespaces/default/spannerinstances/spannerinstance-sample
UID:
Spec:
Config: northamerica-northeast1-a
Display Name: Spanner Instance Sample
Num Nodes: 1
Status:
Conditions:
Last Transition Time: 2020-09-18T18:44:41Z
Message: Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
Reason: UpdateFailed
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning UpdateFailed 6m41s spannerinstance-controller Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
我不太确定这里发生了什么,因为我的 cnrm 服务帐户拥有我的集群所在项目的所有权,并且我启用了指南中列出的 API。
CC pods 本身看起来很健康:
~ >>> kubectl wait -n cnrm-system --for=condition=Ready pod --all
pod/cnrm-controller-manager-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-58cb6c9fc-lf9nt condition met
pod/cnrm-webhook-manager-7658bbb9-kxp4g condition met
任何对此的见解将不胜感激!
根据您发布的错误消息,我认为这可能是您的 GKE scopes.
中的错误。要 GKE 访问其他 GCP API,您必须在创建集群时允许此访问。您可以使用以下命令检查启用的范围:
gcloud container clusters describe <cluster-name> 并在结果中查找 oauthScopes.
Here 您可以看到 Cloud Spanner 的范围名称,您必须启用范围 https://www.googleapis.com/auth/cloud-platform 作为最低权限。
要在 GUI 中验证,您可以在以下位置查看权限:Kubernetes Engine > <Cluster-name> > 展开 permissions 部分并找到 Cloud Platform