我正在尝试添加一个GCP服务帐户Y,该帐户可以访问名为“security-keychain”的特定存储桶。我正在试图弄清楚需要哪些配置或更改才能使我当前的项目能够访问所述服务帐户然后访问存储桶。
我确实查看了https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/,但并不觉得它提供了很多见解。
以下是此项目的当前GCP Kubernetes配置。我的项目将是一个nginx反向代理,如果您想知道,并且存储桶可以访问我需要的所有SSL证书和密钥。
deployment.yml
apiVersion: extensions/v1
kind: Deployment
metadata:
labels:
run: my-project
name: my-project
spec:
replicas: 4
selector:
matchLabels:
run: my-project
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: my-project
spec:
containers:
- image: gcr.io/my-company/my-project
imagePullPolicy: Always
name: my-project
resources:
limits:
cpu: "800m"
memory: 4Gi
requests:
cpu: "500m"
memory: 2Gi
ports:
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
securityContext:
capabilities: {}
privileged: true
capabilities:
add:
- SYS_ADMIN
lifecycle:
postStart:
exec:
command: ["gcsfuse", "-o", "nonempty", "security-keychain", "/mnt/security-keychain"]
preStop:
exec:
command: ["fusermount", "-u", "/mnt/security-keychain"]
service.yml
apiVersion: v1
kind: Service
metadata:
name: my-project-service # service name
spec:
type: LoadBalancer # gives your app a public IP so the outside world can get to it
loadBalancerIP: 99.99.99.99 # declared in VPC Networks > External IP Addresses in GCP Console
ports:
- port: 80 # port the service listens on
targetPort: 80 # port the app listens on
protocol: TCP
name: http
- port: 443 # port the service listens on
targetPort: 443 # port the app listens on
protocol: TCP
name: https
selector:
run: my-project