google-cloud-platform - 为 Terraform 服务帐户定义 ClusterRoleBinding
问题描述
所以我有一个 GCP 服务帐户,Kubernetes Admin
并且Kubernetes Cluster Admin
在 GCP 云控制台中。
我现在正在尝试赋予这个 terraform 服务帐户ClusterRole
在 GKE 中的角色,以通过以下 terraform 配置管理所有命名空间:
data "google_service_account" "terraform" {
project = var.project_id
account_id = var.terraform_sa_email
}
# Terraform needs to manage cluster
resource "google_project_iam_member" "terraform-gke-admin" {
project = var.project_id
role = "roles/container.admin"
member = "serviceAccount:${data.google_service_account.terraform.email}"
}
# Terraform needs to manage K8S RBAC
# https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#iam-rolebinding-bootstrap
resource "kubernetes_cluster_role_binding" "terraform_clusteradmin" {
depends_on = [
google_project_iam_member.terraform-gke-admin,
]
metadata {
name = "cluster-admin-binding-terraform"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = data.google_service_account.terraform.email
}
# must create a binding on unique ID of SA too
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = data.google_service_account.terraform.unique_id
}
}
但是,这总是返回以下错误:
Error: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "client" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
│
│ with module.kubernetes[0].kubernetes_cluster_role_binding.terraform_clusteradmin,
│ on kubernetes/terraform_role.tf line 15, in resource "kubernetes_cluster_role_binding" "terraform_clusteradmin":
│ 15: resource "kubernetes_cluster_role_binding" "terraform_clusteradmin" {
任何想法这里出了什么问题?这可能与使用 Google Groups RBAC 有关吗?
authenticator_groups_config {
security_group = "gke-security-groups@${var.acl_group_domain}"
}
解决方案
data "google_client_config" "provider" {}
provider "kubernetes" {
cluster_ca_certificate = module.google.cluster_ca_certificate
host = module.google.cluster_endpoint
token = data.google_client_config.provider.access_token
}
推荐阅读
- typescript - 我可以在 DU Keys 上定义通用类型约束吗?
- javascript - 如何从javascript中的输入字段中获取值?
- java - 在没有互联网的本地 wifi 聊天中跳过消息
- php - 当请求空日期时,Laravel Eloquent 加载非空日期
- sql - CASE 表达式中的计数和分组值
- python - 如何在python中创建具有设定大小的文件?
- javascript - React 不是渲染组件,也不会给出错误
- algorithm - 通过验证生成唯一的非相似代码
- jquery - 选中行时应选择数据表,应禁用其他相同的 group_id 产品
- c# - \bin\x86\Debug\AppX\Assets\ 的访问问题