在没有角色/所有者的情况下在 GCP 上部署 Kubeflow 1.3

时间:2021-06-07 06:14:02

标签: google-cloud-platform kubeflow gcp-config-connector

从几天开始,我尝试在 GCP 上部署 Kubeflow 1.3,但未向 Config Connector 服务帐户授予所有者角色。作为参考,我正在关注 official documentation。到目前为止,我能够 deploy the management cluster(它使用 Config Connector 服务帐户运行)但是当谈到实际 deploying the Kubeflow Cluster 时,它陷入了第一步:创建一个 CloudSQL 实例,它几乎没有没有意义,因为服务帐户实际上有权这样做。以下是我授予服务帐号的完整角色列表:

roles/accessapproval.approver
roles/accessapproval.configEditor
roles/accesscontextmanager.policyAdmin
roles/aiplatform.admin
roles/aiplatform.customCodeServiceAgent
roles/aiplatform.serviceAgent
roles/anthos.serviceAgent
roles/anthosaudit.serviceAgent
roles/anthosconfigmanagement.serviceAgent
roles/anthosidentityservice.serviceAgent
roles/anthosservicemesh.serviceAgent
roles/apigateway.admin
roles/apigee.apiAdmin
roles/artifactregistry.admin
roles/artifactregistry.serviceAgent
roles/automl.admin
roles/automl.serviceAgent
roles/bigquery.admin
roles/bigqueryconnection.serviceAgent
roles/bigquerydatatransfer.serviceAgent
roles/binaryauthorization.serviceAgent
roles/cloudasset.owner
roles/cloudasset.serviceAgent
roles/cloudbuild.builds.builder
roles/cloudbuild.builds.editor
roles/cloudbuild.serviceAgent
roles/clouddeploy.serviceAgent
roles/cloudfunctions.developer
roles/cloudfunctions.serviceAgent
roles/cloudscheduler.serviceAgent
roles/cloudsql.admin
roles/cloudsql.serviceAgent
roles/cloudtasks.serviceAgent
roles/cloudtpu.serviceAgent
roles/composer.admin
roles/composer.serviceAgent
roles/compute.admin
roles/compute.serviceAgent
roles/container.admin
roles/container.serviceAgent
roles/containeranalysis.admin
roles/containerregistry.ServiceAgent
roles/dataflow.admin
roles/deploymentmanager.editor
roles/endpoints.portalAdmin
roles/endpoints.serviceAgent
roles/gkehub.admin
roles/gkehub.gatewayAdmin
roles/gkehub.serviceAgent
roles/gkemulticloud.serviceAgent
roles/iam.securityAdmin
roles/iam.serviceAccountAdmin
roles/iam.workloadIdentityPoolAdmin
roles/iap.admin
roles/managedidentities.admin
roles/managedidentities.serviceAgent
roles/meshconfig.admin
roles/meshconfig.serviceAgent
roles/meshdataplane.serviceAgent
roles/ml.admin
roles/ml.serviceAgent
roles/monitoring.admin
roles/multiclusteringress.serviceAgent
roles/networkmanagement.serviceAgent
roles/notebooks.admin
roles/notebooks.serviceAgent
roles/oauthconfig.viewer
roles/privateca.admin
roles/resourcemanager.projectIamAdmin
roles/run.admin
roles/run.serviceAgent
roles/secretmanager.admin
roles/serverless.serviceAgent
roles/servicebroker.admin
roles/serviceusage.serviceUsageAdmin
roles/sourcerepo.serviceAgent
roles/storage.admin
roles/tpu.admin
roles/tpu.serviceAgent
roles/vpcaccess.admin
roles/workflows.admin

您是否有任何建议,我可能需要将哪些附加角色分配给服务帐户,以便这件事真正起作用?我不知道这是否重要,但我通过 gcloud cli 授予角色(在此阶段根本不使用 iam.yaml)。

PS:我知道这个想法是有两个单独的项目(一个用于管理集群,另一个用于 kubeflow 集群)并且您需要对 kubeflow 项目的所有者权限但这并不是企业真正想要的。

0 个答案:

没有答案
相关问题
最新问题