GCP Firestore:服务器请求失败,GKE 权限缺失或权限不足
GCP Firestore: Server request fails with Missing or insufficient permissions from GKE
我正在尝试从 GKE 容器上的代码 运行 连接到 Firestore。简单的 REST GET api 工作正常,但是当我从 read/write 访问 Firestore 时,我得到权限缺失或不足。
An unhandled exception was thrown by the application.
Info
2021-06-06 21:21:20.283 EDT
Grpc.Core.RpcException: Status(StatusCode="PermissionDenied", Detail="Missing or insufficient permissions.", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1623028880.278990566","description":"Error received from peer ipv4:172.217.193.95:443","file":"/var/local/git/grpc/src/core/lib/surface/call.cc","file_line":1068,"grpc_message":"Missing or insufficient permissions.","grpc_status":7}")
at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass0_0`2.<<WithRetry>b__0>d.MoveNext()
更新 我正在尝试向带有服务帐户凭据的 pod 提供秘密。
这是 k8 文件,当没有提供任何秘密时,它可以毫无问题地将 pod 部署到集群,我可以执行不影响 Firestore 的 Get 操作,它们工作正常。
kind: Deployment
apiVersion: apps/v1
metadata:
name: foo-worldmanagement-production
spec:
replicas: 1
selector:
matchLabels:
app: foo
role: worldmanagement
env: production
template:
metadata:
name: worldmanagement
labels:
app: foo
role: worldmanagement
env: production
spec:
containers:
- name: worldmanagement
image: gcr.io/foodev/foo/master/worldmanagement.21
resources:
limits:
memory: "500Mi"
cpu: "300m"
imagePullworld: Always
readinessProbe:
httpGet:
path: /api/worldManagement/policies
port: 80
ports:
- name: worldmgmt
containerPort: 80
现在,如果我尝试挂载 secret,pod 永远不会完全创建,最终会失败
kind: Deployment
apiVersion: apps/v1
metadata:
name: foo-worldmanagement-production
spec:
replicas: 1
selector:
matchLabels:
app: foo
role: worldmanagement
env: production
template:
metadata:
name: worldmanagement
labels:
app: foo
role: worldmanagement
env: production
spec:
volumes:
- name: google-cloud-key
secret:
secretName: firestore-key
containers:
- name: worldmanagement
image: gcr.io/foodev/foo/master/worldmanagement.21
volumeMounts:
- name: google-cloud-key
mountPath: /var/
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/key.json
resources:
limits:
memory: "500Mi"
cpu: "300m"
imagePullworld: Always
readinessProbe:
httpGet:
path: /api/worldManagement/earth
port: 80
ports:
- name: worldmgmt
containerPort: 80
我尝试部署 sample application,它工作正常。
如果我只保留以下 yaml 文件,容器就会正确部署
- name: google-cloud-key
secret:
secretName: firestore-key
但是一旦我将以下内容添加到 yaml 中,它就失败了
volumeMounts:
- name: google-cloud-key
mountPath: /var/
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/key.json
而且我可以在 GCP 事件中看到容器无法找到 google-cloud-key。知道如何解决这个问题,即为什么我无法安装秘密,如果需要,我可以 bash 到 pod 中。
我正在使用由
制作的多阶段docker 文件
From mcr.microsoft.com/dotnet/sdk:5.0 AS build
FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS runtime
谢谢
看起来它们的密钥本身可能无法正确显示给 pod。我将首先使用 kubectl exec --stdin --tty <podname> -- /bin/bash
进入 pod 并确保 /var/key.json
(根据您的配置)可访问并具有正确的凭据。
以下是安装秘密的好方法:
volumeMounts:
- name: google-cloud-key
mountPath: /var/run/secret/cloud.google.com
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/secret/cloud.google.com/key.json
以上假定您的秘密是使用如下命令创建的:
kubectl --namespace <namespace> create secret generic firestore-key --from-file key.json
检查您的 Workload Identity 设置也很重要。 Workload Identity | Kubernetes Engine Documentation 对此有一个很好的部分。
我正在尝试从 GKE 容器上的代码 运行 连接到 Firestore。简单的 REST GET api 工作正常,但是当我从 read/write 访问 Firestore 时,我得到权限缺失或不足。
An unhandled exception was thrown by the application.
Info
2021-06-06 21:21:20.283 EDT
Grpc.Core.RpcException: Status(StatusCode="PermissionDenied", Detail="Missing or insufficient permissions.", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1623028880.278990566","description":"Error received from peer ipv4:172.217.193.95:443","file":"/var/local/git/grpc/src/core/lib/surface/call.cc","file_line":1068,"grpc_message":"Missing or insufficient permissions.","grpc_status":7}")
at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass0_0`2.<<WithRetry>b__0>d.MoveNext()
更新 我正在尝试向带有服务帐户凭据的 pod 提供秘密。 这是 k8 文件,当没有提供任何秘密时,它可以毫无问题地将 pod 部署到集群,我可以执行不影响 Firestore 的 Get 操作,它们工作正常。
kind: Deployment
apiVersion: apps/v1
metadata:
name: foo-worldmanagement-production
spec:
replicas: 1
selector:
matchLabels:
app: foo
role: worldmanagement
env: production
template:
metadata:
name: worldmanagement
labels:
app: foo
role: worldmanagement
env: production
spec:
containers:
- name: worldmanagement
image: gcr.io/foodev/foo/master/worldmanagement.21
resources:
limits:
memory: "500Mi"
cpu: "300m"
imagePullworld: Always
readinessProbe:
httpGet:
path: /api/worldManagement/policies
port: 80
ports:
- name: worldmgmt
containerPort: 80
现在,如果我尝试挂载 secret,pod 永远不会完全创建,最终会失败
kind: Deployment
apiVersion: apps/v1
metadata:
name: foo-worldmanagement-production
spec:
replicas: 1
selector:
matchLabels:
app: foo
role: worldmanagement
env: production
template:
metadata:
name: worldmanagement
labels:
app: foo
role: worldmanagement
env: production
spec:
volumes:
- name: google-cloud-key
secret:
secretName: firestore-key
containers:
- name: worldmanagement
image: gcr.io/foodev/foo/master/worldmanagement.21
volumeMounts:
- name: google-cloud-key
mountPath: /var/
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/key.json
resources:
limits:
memory: "500Mi"
cpu: "300m"
imagePullworld: Always
readinessProbe:
httpGet:
path: /api/worldManagement/earth
port: 80
ports:
- name: worldmgmt
containerPort: 80
我尝试部署 sample application,它工作正常。
如果我只保留以下 yaml 文件,容器就会正确部署
- name: google-cloud-key
secret:
secretName: firestore-key
但是一旦我将以下内容添加到 yaml 中,它就失败了
volumeMounts:
- name: google-cloud-key
mountPath: /var/
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/key.json
而且我可以在 GCP 事件中看到容器无法找到 google-cloud-key。知道如何解决这个问题,即为什么我无法安装秘密,如果需要,我可以 bash 到 pod 中。
我正在使用由
制作的多阶段docker 文件From mcr.microsoft.com/dotnet/sdk:5.0 AS build
FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS runtime
谢谢
看起来它们的密钥本身可能无法正确显示给 pod。我将首先使用 kubectl exec --stdin --tty <podname> -- /bin/bash
进入 pod 并确保 /var/key.json
(根据您的配置)可访问并具有正确的凭据。
以下是安装秘密的好方法:
volumeMounts:
- name: google-cloud-key
mountPath: /var/run/secret/cloud.google.com
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/secret/cloud.google.com/key.json
以上假定您的秘密是使用如下命令创建的:
kubectl --namespace <namespace> create secret generic firestore-key --from-file key.json
检查您的 Workload Identity 设置也很重要。 Workload Identity | Kubernetes Engine Documentation 对此有一个很好的部分。