我有:
我似乎无法授予对该实例的只读GCR访问权限。所有资源都在同一个项目中。我尝试将storage.admin和storage.objectViewer角色授予服务帐户,并且在每种情况下访问容器注册表都会导致https://eu.gcr.io/v2/<project>/<image>/manifests/latest: 401 Unauthorized。
我阅读过的所有文档都说,我需要storage-rw范围和在该区域中的GCR的存储桶上授予的storage.objectViewer,我已经拥有了全部。
我正在使用Terraform配置所有这些功能。您如何使用Terraform配置GCR对服务帐户的访问权限?
这是我的代码:
locals {
gcr-region = "eu"
}
resource "google_service_account" "service_account" {
account_id = "k3s-master"
display_name = "k3s-master"
}
resource "google_project_iam_member" "project" {
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.service_account.email}"
}
resource "google_compute_instance" "instance" {
name = "${var.service_name}"
machine_type = "f1-micro"
allow_stopping_for_update = true
service_account {
email = "${google_service_account.service_account.email}"
scopes = [
"storage-rw",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/compute",
]
}
boot_disk {
initialize_params {
image = "debian-9"
}
}
network_interface {
network = "${google_compute_network.k3s-network.self_link}"
access_config { }
}
}
resource "google_storage_bucket_iam_binding" "eu-binding" {
bucket = "eu.artifacts.${var.project}.appspot.com"
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.service_account.email}",
]
}
resource "google_storage_bucket_iam_binding" "binding" {
bucket = "${var.project}.appspot.com"
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.service_account.email}",
]
}
答案 0 :(得分:2)
对,这完全是另外一回事。
为了进一步调试,我使用了计算实例中的curl和gsutil,发现我可以访问底层存储桶。
我正在所涉及的实例上运行k3s,并且这需要明确配置为使用服务帐户向GCR进行身份验证(即使计算实例在同一服务下运行)帐户,仍然需要)。
因此,一个kubectl create secret docker-registry ...,然后为我正在使用的(kubernetes)服务帐户设置imagePullSecrets,将其修复。 More details about that here。