在 GKE 中使用共享网络创建集群
Create cluster with Shared Network in GKE
我正在尝试使用 project-2 的共享网络在 GKE project-1 中创建集群。
赋予服务帐户的角色:
项目 1:Kubernetes Engine 集群管理员、计算网络管理员、Kubernetes Engine 主机服务代理用户
project-2:Kubernetes Engine 服务代理、计算网络用户、Kubernetes Engine 主机服务代理用户
服务帐户是在 project-1 下创建的。
API 两个项目都启用了服务。
但我一直收到此错误。
错误:googleapi:错误 403:Kubernetes Engine 服务代理缺少此项目所需的权限。请参阅故障排除 | Kubernetes 引擎文档 | Google 云端获取更多信息:“projects/project-2”需要“container.hostServiceAgent.use”权限,禁止
data "google_compute_network" "shared_vpc" {
name = "network-name-in-project-2"
project = "project-2"
}
data "google_compute_subnetwork" "shared_subnet" {
name = "subnet-name-in-project-2"
project = "project-2"
region = "us-east1"
}
# cluster creation under project 1
# project 1 specified in Provider
resource "google_container_cluster" "mowx_cluster" {
name = var.cluster_name
location = "us-east1"
initial_node_count = 1
master_auth {
username = ""
password = ""
client_certificate_config {
issue_client_certificate = false
}
}
remove_default_node_pool = true
cluster_autoscaling {
enabled = false
}
# cluster_ipv4_cidr = var.cluster_pod_cidr
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "svc"
}
network = data.google_compute_network.shared_vpc.id
subnetwork = data.google_compute_subnetwork.shared_subnet.id
}
这是一个基于评论中讨论的社区 Wiki 答案,为了提高可见度而发布。随意扩展它。
您遇到的错误:
Error: googleapi: Error 403: Kubernetes Engine Service Agent is missing required permissions on this project. See Troubleshooting | Kubernetes Engine Documentation | Google Cloud for more info: required “container.hostServiceAgent.use” permission(s) for “projects/project-2”., forbidden
表示没有创建必要的服务代理:
roles/container.serviceAgent - Kubernetes 引擎服务代理:
Gives Kubernetes Engine account access to manage cluster resources.
Includes access to service accounts.
官方troubleshooting docs描述了此类问题的解决方案:
To resolve the issue, if you have removed the Kubernetes Engine Service Agent role from your Google Kubernetes Engine service account,
add it back. Otherwise, you must re-enable the Kubernetes Engine API,
which will correctly restore your service accounts and permissions.
You can do this in the gcloud tool or the Cloud Console.
上面的解决方案在您的用例中有效,帐户丢失,因此必须(重新)创建。
我正在尝试使用 project-2 的共享网络在 GKE project-1 中创建集群。
赋予服务帐户的角色:
项目 1:Kubernetes Engine 集群管理员、计算网络管理员、Kubernetes Engine 主机服务代理用户
project-2:Kubernetes Engine 服务代理、计算网络用户、Kubernetes Engine 主机服务代理用户
服务帐户是在 project-1 下创建的。 API 两个项目都启用了服务。
但我一直收到此错误。 错误:googleapi:错误 403:Kubernetes Engine 服务代理缺少此项目所需的权限。请参阅故障排除 | Kubernetes 引擎文档 | Google 云端获取更多信息:“projects/project-2”需要“container.hostServiceAgent.use”权限,禁止
data "google_compute_network" "shared_vpc" {
name = "network-name-in-project-2"
project = "project-2"
}
data "google_compute_subnetwork" "shared_subnet" {
name = "subnet-name-in-project-2"
project = "project-2"
region = "us-east1"
}
# cluster creation under project 1
# project 1 specified in Provider
resource "google_container_cluster" "mowx_cluster" {
name = var.cluster_name
location = "us-east1"
initial_node_count = 1
master_auth {
username = ""
password = ""
client_certificate_config {
issue_client_certificate = false
}
}
remove_default_node_pool = true
cluster_autoscaling {
enabled = false
}
# cluster_ipv4_cidr = var.cluster_pod_cidr
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "svc"
}
network = data.google_compute_network.shared_vpc.id
subnetwork = data.google_compute_subnetwork.shared_subnet.id
}
这是一个基于评论中讨论的社区 Wiki 答案,为了提高可见度而发布。随意扩展它。
您遇到的错误:
Error: googleapi: Error 403: Kubernetes Engine Service Agent is missing required permissions on this project. See Troubleshooting | Kubernetes Engine Documentation | Google Cloud for more info: required “container.hostServiceAgent.use” permission(s) for “projects/project-2”., forbidden
表示没有创建必要的服务代理:
roles/container.serviceAgent - Kubernetes 引擎服务代理:
Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.
官方troubleshooting docs描述了此类问题的解决方案:
To resolve the issue, if you have removed the
Kubernetes Engine Service Agentrole from your Google Kubernetes Engine service account, add it back. Otherwise, you must re-enable the Kubernetes Engine API, which will correctly restore your service accounts and permissions. You can do this in the gcloud tool or the Cloud Console.
上面的解决方案在您的用例中有效,帐户丢失,因此必须(重新)创建。