我正在使用一个Kubernetes托管集群中的最新版本的Google Kubernetes(1.22.8-gke.202)。我还有一个自定义的服务帐户,它可以访问“Artifact Registry Reader”范围,应该授予它从存储库中拉取私有映像的权限 - 我称之为custom-service-account。
我已验证节点本身在Compute Engine中链接到custom-service-account服务帐户。Kubernetes设置了一个服务帐户,通过工作负载标识与同名的IAM服务帐户相链接。然而,当我尝试启动从我的私有仓库中拉取的Pod时,它一直失败。
我已验证节点本身在Compute Engine中链接到custom-service-account服务帐户。Kubernetes设置了一个服务帐户,通过工作负载标识与同名的IAM服务帐户相链接。然而,当我尝试启动从我的私有仓库中拉取的Pod时,它一直失败。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 21m (x3 over 24m) default-scheduler 0/2 nodes are available: 2 node(s) were unschedulable.
Warning FailedScheduling 19m default-scheduler no nodes available to schedule pods
Normal NotTriggerScaleUp 18m (x25 over 24m) cluster-autoscaler pod didn't trigger scale-up: 1 node(s) had taint {reserved-pool: true}, that the pod didn't tolerate
Normal Scheduled 18m default-scheduler Successfully assigned default/test-service-a-deployment-5757fc5797-b54gx to gke-personal-XXXX--personal-XXXX--ac9a05b6-16sb
Normal Pulling 17m (x4 over 18m) kubelet Pulling image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest"
Warning Failed 17m (x4 over 18m) kubelet Failed to pull image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": rpc error: code = Unknown desc = failed to pull and unpack image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": failed to resolve reference "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest": failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
Warning Failed 17m (x4 over 18m) kubelet Error: ErrImagePull
Warning Failed 16m (x6 over 18m) kubelet Error: ImagePullBackOff
Normal BackOff 3m27s (x65 over 18m) kubelet Back-off pulling image "us-central1-docker.pkg.dev/personal-XXXX/my-test-repo/my-test-repo-business-logic:latest"
我也已经通过ssh登录到节点本身,至少默认情况下使用常规的docker pull
或crictl pull
命令时会看到相同的错误。
因此,我有以下具体问题:
- GCP是如何将服务帐户凭据注入尝试启动镜像的Kubernetes/Docker工作程序中的?正常的docker命令似乎没有这些凭据,这是否是预期的?
- 除了在pod上继承服务帐户之外,我是否需要手动引导一些额外的Kubernetes身份验证?
编辑:此处的结果。
> gcloud container clusters describe personal-XXXX-gke --zone us-central1-a --format="value(workloadIdentityConfig.workloadPool)"
personal-XXXX.svc.id.goog
> gcloud container node-pools describe personal-XXXX-gke-node-pool --cluster personal-XXXX-gke --format="value(config.workloadMetadataConfig.mode)" --zone us-central1-a
GKE_METADATA
> kubectl describe serviceaccount --namespace default be-service-account
Name: be-service-account
Namespace: default
Labels: <none>
Annotations: iam.gke.io/gcp-service-account: custom-service-account@personal-XXXX.iam.gserviceaccount.com
Image pull secrets: <none>
Mountable secrets: be-service-account-token-jmss9
Tokens: be-service-account-token-jmss9
Events: <none>
> gcloud iam service-accounts get-iam-policy custom-service-account@personal-XXXX.iam.gserviceaccount.com
bindings:
- members:
- serviceAccount:personal-XXXX.svc.id.goog[default/be-service-account]
role: roles/iam.workloadIdentityUser
etag: BwXjqJ9DC6A=
version: 1