我从 gcr.io 获取容器时遇到问题
$ kubectl get po
NAME READY STATUS RESTARTS AGE
api-deployment-74d8cf8768-x8bsk 0/2 ImagePullBackOff 4 2m43s
我使用以下 yml 文件 (deployment.yml) 创建这些部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-deployment
spec:
replicas: 1
selector:
matchLabels:
component: api
template:
metadata:
labels:
component: api
spec:
containers:
- name: api
image: eu.gcr.io/api:latest
imagePullPolicy: Always
ports:
- containerPort: 5060
from GKE - ErrImagePull 从 Google 容器注册表中拉取 https://stackoverflow.com/questions/52570027/gke-errimagepull-pulling-from-google-container-registry我猜这主要是一个许可问题。
If I do
kubectl describe pod api-deployment-74d8cf8768-x8bsk
I get
rpc error: code = Unknown desc = Error response from daemon: pull access denied for eu.gcr.io/<project-dev>/api, repository does not exist or may require 'docker login': denied: Permission denied for "latest" from request "/v2/<project-dev>/api/manifests/latest"
但是,尚不清楚如何使用 terraform 设置适当的服务帐户。
我的设置如下。我使用服务帐户在 GCP (terraform-admin) 中创建了一个 terraform 管理项目
[email protected] /cdn-cgi/l/email-protection
包含远程 terraform 状态等。服务帐户有许多角色,例如:
Compute Network Admin
Kubernetes Engine Cluster Admin
...
然后,我创建实际的开发项目 project-dev (使用该服务帐户的凭据)。在项目开发中[电子邮件受保护] /cdn-cgi/l/email-protection也是一个iam账户
作为
Owner
Compute Network Admin
Kubernetes Engine Cluster Admin
但是,它不是服务帐户。我看到的唯一服务帐户是
<project-dev-ID>[email protected] /cdn-cgi/l/email-protection
这是一个“Compute Engine 默认服务帐户”,可能没有适当的权限。在项目开发上,我还有包含我的私有容器的容器注册表。
如前所述,我使用 Terraform 创建 GKE 集群。下面是我的(缩写的)yml 文件。
resource "google_container_cluster" "primary" {
name = "gke-cluster"
location = "${var.region}-b"
node_locations = [
"${var.region}-c",
"${var.region}-d",
]
node_version = var.node_version
initial_node_count = 3
network = var.vpc_name
subnetwork = var.subnet_name
addons_config {
horizontal_pod_autoscaling {
disabled = false
}
}
master_auth {
username = 'user'
password = 'password'
}
node_config {
# I HAVE TRIED ADDING THIS, BUT IT RESULT IN AN ERROR
# Error: googleapi: Error 400: The user does not have access to service account
# service_account = "[email protected] /cdn-cgi/l/email-protection"
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
labels = {
env = var.gke_label["${terraform.workspace}"]
}
disk_size_gb = 10
machine_type = var.gke_node_machine_type
tags = ["gke-node"]
}
}
现在,我应该尝试(如果是的话,如何)将我的 tf-admin 服务帐户添加为项目开发中的服务帐户,还是应该将特定的服务帐户(再次,如何?)添加到 kubernetes 的项目开发中?