google-cloud-platform - 如何使用 ConfigConnector 将 K8s ServiceAccount 绑定到 Google 服务帐户

问题描述

作为第一步，我想在 Helm 图表中定义一个绑定到 Google ServiceAccount 的 Kubernetes ServiceAccount，然后在 Kubernetes pod 的规范中使用该服务帐户。

这是我尝试过的，我定义了 Kubernetes 服务帐户，然后是 Google 服务帐户，最后尝试绑定两者：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    iam.gke.io/gcp-service-account: {{ printf "%s@%s.iam.gserviceaccount.com" .Release.Name .Values.gcp.project }}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
---
# https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicymember
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
spec:
  member: {{ printf "serviceAccount:%s@%s.iam.gserviceaccount.com" .Release.Name .Values.gcp.project }}
  role: roles/iam.workloadIdentityUser
  resourceRef:
    apiVersion: v1
    kind: ServiceAccount
    name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}

部署到启用了 WorkloadIdentity 的 GKE 集群的 helm chart 返回以下错误

Error: UPGRADE FAILED: failed to create resource: admission webhook "iam-validation.cnrm.cloud.google.com" denied the request: resource reference for kind 'ServiceAccount' must include API group

基本上我想做的是 ConfigConnector 相当于

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:<YOUR-GCP-PROJECT>.svc.id.goog[<YOUR-K8S-NAMESPACE>/<YOUR-KSA-NAME>]" \
  <YOUR-GSA-NAME>@<YOUR-GCP-PROJECT>.iam.gserviceaccount.com

我从https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#gsa得到的

标签： google-cloud-platformkubernetes-helmgcp-config-connector