gpt4 book ai didi

kubernetes - GKE : Service account for Config Connector lacks permissions

转载 作者:行者123 更新时间:2023-12-02 12:09:56 24 4
gpt4 key购买 nike

我正在尝试在我的 GKE 项目上启动并运行 Config Connector,并且正在关注 this getting started guide.
到目前为止,我已经启用了适当的 API:

> gcloud services enable cloudresourcemanager.googleapis.com
创建了我的服务帐户并添加了策略绑定(bind):
> gcloud iam service-accounts create cnrm-system
> gcloud iam service-accounts add-iam-policy-binding ncnrm-system@test-connector.iam.gserviceaccount.com --member="serviceAccount:test-connector.svc.id.goog[cnrm-system/cnrm-controller-manager]" --role="roles/iam.workloadIdentityUser"
> kubectl wait -n cnrm-system --for=condition=Ready pod --all
注释我的命名空间:
> kubectl annotate namespace default cnrm.cloud.google.com/project-id=test-connector
然后尝试在示例中应用 Spanner yaml:
~ >>> kubectl describe spannerinstance spannerinstance-sample                                                                                                                                                                                                                            
Name: spannerinstance-sample
Namespace: default
Labels: label-one=value-one
Annotations: cnrm.cloud.google.com/management-conflict-prevention-policy: resource
cnrm.cloud.google.com/project-id: test-connector
API Version: spanner.cnrm.cloud.google.com/v1beta1
Kind: SpannerInstance
Metadata:
Creation Timestamp: 2020-09-18T18:44:41Z
Generation: 2
Resource Version: 5805305
Self Link: /apis/spanner.cnrm.cloud.google.com/v1beta1/namespaces/default/spannerinstances/spannerinstance-sample
UID:
Spec:
Config: northamerica-northeast1-a
Display Name: Spanner Instance Sample
Num Nodes: 1
Status:
Conditions:
Last Transition Time: 2020-09-18T18:44:41Z
Message: Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
Reason: UpdateFailed
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning UpdateFailed 6m41s spannerinstance-controller Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
我不太确定这里发生了什么,因为我的 cnrm 服务帐户拥有我的集群所在项目的所有权,并且我启用了指南中列出的 API。
CC pod 本身看起来很健康:
~ >>> kubectl wait -n cnrm-system --for=condition=Ready pod --all                                                                                                                                                                                                                    
pod/cnrm-controller-manager-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-58cb6c9fc-lf9nt condition met
pod/cnrm-webhook-manager-7658bbb9-kxp4g condition met
对此的任何见解将不胜感激!

最佳答案

根据您发布的错误消息,我应该认为这可能是您的 GKE scopes 中的错误。 .
要让 GKE 访问其他 GCP API,您必须在创建集群时允许此访问。您可以使用以下命令检查启用的范围:gcloud container clusters describe <cluster-name>并在结果中找到 oauthScopes .
Here您可以看到 Cloud Spanner 的范围名称,您必须启用范围 https://www.googleapis.com/auth/cloud-platform作为最低许可。
要在 GUI 中验证,您可以在以下位置查看权限:Kubernetes Engine > <Cluster-name> > 展开部分 permissions并查找 Cloud Platform

关于kubernetes - GKE : Service account for Config Connector lacks permissions,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64010131/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com