Google Cloud,Kubernetes和Cloud SQL代理:默认的Compute Engine服务帐户问题

时间:2019-11-27 07:18:14

标签: kubernetes google-cloud-platform gcloud cloud-sql-proxy

我有Google Cloud项目A,B,C,D。它们都为Kubernetes集群和部署使用类似的设置。项目A,B和C已于几个月前建成。他们都使用Google Cloud SQL代理连接到Google Cloud SQL服务。现在,当我最近开始为项目D设置Kubernetes时,在Stackdriver日志中会看到以下错误:

the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credential_file parameter

我比较了A,B,C和D之间的Kubernetes集群之间的差异,但它们似乎是相同的。

这是我正在使用的部署

apiVersion: apps/v1beta2
kind: Deployment
metadata:
  name: my-site
  labels:
    system: projectA
spec:
  selector:
    matchLabels:
      system: projectA
  template:
    metadata:
      labels:
        system: projectA
    spec:
      containers:
        - name: web
          image: gcr.io/customerA/projectA:alpha1
          ports:
            - containerPort: 80
          env:
            - name: DB_HOST
              value: 127.0.0.1:3306
            # These secrets are required to start the pod.
            # [START cloudsql_secrets]
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  name: cloudsql-db-credentials
                  key: username
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cloudsql-db-credentials
                  key: password
          # [END cloudsql_secrets]
        # Change <INSTANCE_CONNECTION_NAME> here to include your GCP
        # project, the region of your Cloud SQL instance and the name
        # of your Cloud SQL instance. The format is
        # $PROJECT:$REGION:$INSTANCE
        # [START proxy_container]
        - name: cloudsql-proxy
          image: gcr.io/cloudsql-docker/gce-proxy:1.11
          command:
            - sh
            - -c
            - /cloud_sql_proxy -instances=my-gcloud-project:europe-west1:databaseName=tcp:3306
            - -credential_file=/secrets/cloudsql/credentials.json
          # [START cloudsql_security_context]
          securityContext:
            runAsUser: 2  # non-root user
            allowPrivilegeEscalation: false
          # [END cloudsql_security_context]
          volumeMounts:
            - name: cloudsql-instance-credentials
              mountPath: /secrets/cloudsql
              readOnly: true
      # [END proxy_container]
      # [START volumes]
      volumes:
        - name: cloudsql-instance-credentials
          secret:
            secretName: cloudsql-instance-credentials
      # [END volumes]

因此,默认服务帐户似乎没有足够的权限?通过Google Cloud控制台创建集群时,Google Cloud不允许启用Cloud SQL API。

从我用这个问题搜索过的地方来看,有人说问题出在gcr.io/cloudsql-docker/gce-proxy映像上,但是我尝试了较新的版本,但仍然会出现相同的错误。

1 个答案:

答案 0 :(得分:1)

我找到了解决此问题的方法,并且在创建集群时设置了service-account参数。请注意,我尚未测试新服务帐户所需的最低权限是什么。

以下是步骤:

  • 创建新的服务帐户,不需要API密钥。我使用的名称是“超级服务”
  • 将角色Cloud SQL管理员,计算管理员,Kubernetes Engine管理员,编辑者分配给新服务帐户
  • 使用gcloud使用新的服务帐户创建这样的集群
gcloud container clusters create my-cluster \
--zone=europe-west1-c \
--labels=system=projectA \
--num-nodes=3 \
--enable-master-authorized-networks \
--enable-network-policy \
--enable-ip-alias \
--service-account=super-service@project-D.iam.gserviceaccount.com \
--master-authorized-networks <list-of-my-ips>

然后至少要正确地部署集群和部署。

相关问题
最新问题