我正在运行 espv2 gke上。仅当使用 -Service_account_key flag提供服务帐户键JSON文件时,容器才会开始。但是,该标志记录在 GCP 平台部署。此外,
您唯一需要指定此选项的时间是ESP运行时
在Google Cloud以外的其他平台上[...]
,我不认为 - Service_account_key 在GKE中运行容器时是必需的。
因为我正在使用 Workload Identity GKE Workload 使用模拟Google服务帐户的Kubernetes服务帐户运行。实现此目的的步骤在。但是,我正在使用Terraform,所以请不要自己执行这些步骤,而是依靠Terraform的 workload-identity supperity supperitule被配置为
- 使用现有的Google服务帐户(
use_existing_gcp_sa = true true )
- 最新 帐户(
use_existing_k8s_sa = false )
- 注释kubernetes服务帐户(
annotate_k8s_sa = true
) Google-modules/kubernetes-engine/google/google/最新/subsodules/workload-identity“ rel =” nofollow noreferrer“> workload-nidentity subsodule还负责创建Google Service帐户绑定到角色/iam 。因此/a>由Terraform实施。
我要传递给ESP的服务帐户密钥JSON文件是Google服务帐户(代表Kubernetes服务帐户起作用),但它不是不是默认的计算服务帐户。因此,从直觉上看,ESP需要这是有意义的。但是,所有文档都指出,如果在GCP上运行,则不需要。
是否有人使用Workload Identity并不使用默认计算服务帐户在GKE上运行ESP?
我的kubernetes部署配置,并删除了一些ESP标志,以清楚
---
apiVersion: apps/v1
kind: Deployment
spec:
spec:
# Kubernetes service account in default namespace.
serviceAccountName: my-k8s-sa
volumes:
- name: account-key
secret:
secretName: account-key-secret
containers:
- name: esp
image: gcr.io/endpoints-release/endpoints-runtime:2
args: [
# Google service account (should not be needed in GCP)
"--service_account_key=/etc/nginx/creds/credentials.json",
]
volumeMounts:
- mountPath: /etc/nginx/creds
name: account-key
readOnly: true
I'm running ESPv2 on GKE. The container starts only if the service account key JSON file is provided using the --service_account_key flag. However this flag is documented under Non GCP Platform Deployment. Furthermore, proxy startup options states
The only time you need to specify this option is when ESP is running
on platforms other than Google Cloud [...]
Therefore I don't think --service_account_key is necessary when running containers in GKE.
Because I'm using Workload Identity the GKE workload runs using a kubernetes service account which impersonates a Google service account. The steps to achieve this are detailed in Configure applications to use Workload Identity. However, I'm using Terraform so don't perform these steps myself, rather I rely on Terraform's workload-identity submodule which is configured to
- Use an existing Google service account (
use_existing_gcp_sa = true)
- Create a new Kubernetes service account (
use_existing_k8s_sa = false)
- Annotate the kubernetes service account (
annotate_k8s_sa = true)
Terraform's workload-identity submodule also takes care of creating the Google service account binding to roles/iam.workloadIdentityUser. Therefore all the steps in Configure applications to use Workload Identity are implemented by Terraform.
The service account key JSON file that I'm passing to the ESP is the Google Service account (which acts on behalf of the kubernetes service account) but it is not the default compute service account. Therefore, intuitively, it makes sense to me that ESP needs this. Yet all the documentation states it should not be needed if running on GCP.
Has anyone got ESP running on GKE using workload identity and not using the default compute service account?
My Kubernetes deployment config with some ESP flags removed for clarity
---
apiVersion: apps/v1
kind: Deployment
spec:
spec:
# Kubernetes service account in default namespace.
serviceAccountName: my-k8s-sa
volumes:
- name: account-key
secret:
secretName: account-key-secret
containers:
- name: esp
image: gcr.io/endpoints-release/endpoints-runtime:2
args: [
# Google service account (should not be needed in GCP)
"--service_account_key=/etc/nginx/creds/credentials.json",
]
volumeMounts:
- mountPath: /etc/nginx/creds
name: account-key
readOnly: true
发布评论
评论(1)
正如您提到的,ESPV2需要访问令牌。当您在Google云环境上部署
ESP或ESPV2时,例如GKE或Compute Engine,或ESP和ESPV2,这些通过 google cloud metadata service ,因此,由于此ESP将获得并使用Compute compute compute compute compute conceute computes发动机实例是为了在GCP环境上工作。我建议您查看在您的POD中运行此命令的服务帐户以验证服务帐户:
如果正确配置了服务帐户,则将IAM服务帐户电子邮件地址列为Active。
另外,请注意,实施工作负载身份具有一些限制可能会在POD启动时出现一些时间,但是您可以在此之后解决此问题故障排除指南。
如果进行故障排除后,您仍然面临问题,我建议您从ESPV2收集启动日志并触手到GCP支持,以在此链接由于它可能是个人(敏感的)信息,我认为可以共享它,并且需要更好的香奈儿(Chanel)才能将信息保密。
As you mention, ESPv2 needs access tokens. When you deploy
ESPorESPv2on Google Cloud environments, such as GKE or Compute Engine, or ESP and ESPv2 these obtain access tokens for you through the Google Cloud metadata service, so due this ESP will fetch and use credentials from Compute engine instance in order to work on the GCP environment.I recommend review the service account used running this command inside your pod to validate the service account:
If the service accounts are correctly configured, the IAM service account email address is listed as the active.
Also, note that implementing workload identity has some limitations and could be some Time Out errors at Pod start up, but you can resolve the issue following this troubleshooting guide.
If after this troubleshooting, you are still facing issues, I will suggest collect the startup logs from the ESPv2 and reach to GCP support to shared them in this link due to the fact that it could be personal (sensitive) information that I think could be shared and needs a better chanel to keep your information confidential.