工作负载标识
我试图在Composer 2环境中运行GKEStartPodOperator/KubernetesPodOperator任务,该环境在自动驾驶模式下使用GKE集群。我们有一个现有的Composer 1环境,GKE集群不处于自动驾驶模式。我们使用谷歌云平台服务(BigQuery、GCS等)进行身份验证的任务在Composer 2环境中失败,但在Composer 1环境中成功。
在日志文件中,我可以看出两种环境中的任务都是通过向元数据服务器发出请求来获取凭据的。关键区别在于Composer 1中的任务请求分配给任务运行所在节点的服务帐户,而Composer 2中的任务请求的似乎是工作负载标识池,如[project name]。svc。id.goog。
Composer 1的日志包括:
[2021-10-22 12:38:01,349] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Checking None for explicit credentials as part of auth process...
[2021-10-22 12:38:01,351] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Checking Cloud SDK credentials as part of auth process...
[2021-10-22 12:38:01,352] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Cloud SDK credentials not found on disk; not using them
[2021-10-22 12:38:01,359] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://[cluster-ip]
[2021-10-22 12:38:01,374] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://metadata.google.internal/computeMetadata/v1/project/project-id
[2021-10-22 12:38:01,392] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Checking None for explicit credentials as part of auth process...
[2021-10-22 12:38:01,393] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Checking Cloud SDK credentials as part of auth process...
[2021-10-22 12:38:01,393] {pod_launcher.py:148} INFO - DEBUG:google.auth._default:Cloud SDK credentials not found on disk; not using them
[2021-10-22 12:38:01,395] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://[cluster-ip]
[2021-10-22 12:38:01,398] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://metadata.google.internal/computeMetadata/v1/project/project-id
[2021-10-22 12:38:01,412] {pod_launcher.py:148} INFO - DEBUG:google.cloud.bigquery.opentelemetry_tracing:This service is instrumented using OpenTelemetry. OpenTelemetry could not be imported; please add opentelemetry-api and opentelemetry-instrumentation packages in order to get BigQuery Tracing data.
[2021-10-22 12:38:01,414] {pod_launcher.py:148} INFO - DEBUG:urllib3.util.retry:Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
[2021-10-22 12:38:01,415] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport.requests:Making request: GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
[2021-10-22 12:38:01,437] {pod_launcher.py:148} INFO - DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): metadata.google.internal:80
[2021-10-22 12:38:01,452] {pod_launcher.py:148} INFO - DEBUG:urllib3.connectionpool:http://metadata.google.internal:80 "GET /computeMetadata/v1/instance/service-accounts/default/?recursive=true HTTP/1.1" 200 226
[2021-10-22 12:38:01,454] {pod_launcher.py:148} INFO - DEBUG:google.auth.transport.requests:Making request: GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[project-id]-compute@developer.gserviceaccount.com/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform
[2021-10-22 12:38:01,463] {pod_launcher.py:148} INFO - DEBUG:urllib3.connectionpool:http://metadata.google.internal:80 "GET /computeMetadata/v1/instance/service-accounts/[project-id]-compute@developer.gserviceaccount.com/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform HTTP/1.1" 200 1049
[2021-10-22 12:38:01,468] {pod_launcher.py:148} INFO - DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): bigquery.googleapis.com:443
[2021-10-22 12:38:02,028] {pod_launcher.py:148} INFO - DEBUG:urllib3.connectionpool:https://bigquery.googleapis.com:443 "POST /bigquery/v2/projects/[project-nam]/jobs?prettyPrint=false HTTP/1.1" 200 None
Composer 2的日志包括:
[2021-10-21 13:56:06,619] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Checking None for explicit credentials as part of auth process...
[2021-10-21 13:56:06,620] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Checking Cloud SDK credentials as part of auth process...
[2021-10-21 13:56:06,620] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Cloud SDK credentials not found on disk; not using them
[2021-10-21 13:56:06,621] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://[cluster-ip]
[2021-10-21 13:56:06,624] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://metadata.google.internal/computeMetadata/v1/project/project-id
[2021-10-21 13:56:06,634] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Checking None for explicit credentials as part of auth process...
[2021-10-21 13:56:06,635] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Checking Cloud SDK credentials as part of auth process...
[2021-10-21 13:56:06,635] {pod_launcher.py:149} INFO - DEBUG:google.auth._default:Cloud SDK credentials not found on disk; not using them
[2021-10-21 13:56:06,635] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://[cluster-ip]
[2021-10-21 13:56:06,635] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport._http_client:Making request: GET http://metadata.google.internal/computeMetadata/v1/project/project-id
[2021-10-21 13:56:06,641] {pod_launcher.py:149} INFO - DEBUG:google.cloud.bigquery.opentelemetry_tracing:This service is instrumented using OpenTelemetry. OpenTelemetry could not be imported; please add opentelemetry-api and opentelemetry-instrumentation packages in order to get BigQuery Tracing data.
[2021-10-21 13:56:06,642] {pod_launcher.py:149} INFO - DEBUG:urllib3.util.retry:Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
[2021-10-21 13:56:06,642] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport.requests:Making request: GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
[2021-10-21 13:56:06,714] {pod_launcher.py:149} INFO - DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): metadata.google.internal:80
[2021-10-21 13:56:06,720] {pod_launcher.py:149} INFO - DEBUG:urllib3.connectionpool:http://metadata.google.internal:80 "GET /computeMetadata/v1/instance/service-accounts/default/?recursive=true HTTP/1.1" 200 121
[2021-10-21 13:56:06,721] {pod_launcher.py:149} INFO - DEBUG:google.auth.transport.requests:Making request: GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[project-name].svc.id.goog/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform
[2021-10-21 13:56:06,831] {pod_launcher.py:149} INFO - DEBUG:urllib3.connectionpool:http://metadata.google.internal:80 "GET /computeMetadata/v1/instance/service-accounts/[project-name].svc.id.goog/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform HTTP/1.1" 200 765
[2021-10-21 13:56:06,833] {pod_launcher.py:149} INFO - DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): bigquery.googleapis.com:443
[2021-10-21 13:56:06,866] {pod_launcher.py:149} INFO - DEBUG:urllib3.connectionpool:https://bigquery.googleapis.com:443 "POST /bigquery/v2/projects/[project-name]/jobs?prettyPrint=false HTTP/1.1" 401 None
根据工作负载标识文档,我想我需要将特定的服务帐户绑定到运行pod的节点/节点池,但我不确定如何使用Composer 2 GKE Autopilot实现这一点,因为节点是为我管理的。Composer 2目前没有关于使用KubernetesPodOperator或GKEStartPodOperator的文档。
总之,我的问题是:我应该如何配置我的作曲家2环境Podoperator任务,以利用特定的服务号与GCP服务进行身份验证?
共有1个答案
我从操作工程师那里得到了一些指导,现在有一个KubernetesPodoperator任务通过一个服务号成功地与GCP服务进行了身份验证。我将在下面分享步骤和有用的信息。
首先,遵循使用工作负载身份向谷歌云进行身份验证的步骤。我以为作曲家2配置了库伯内特
其次,我必须使用参数namespace和service_account_name更新我的KubernetesPodOperator实例,这些参数设置为我在第一步中创建的名称空间和kubernetes服务帐户。
我可以确认这两个步骤使我的任务能够请求绑定的Google服务帐户,并且从那里Google客户端库验证在我对BigQuery的测试中成功。
-
Google docu表示,工作负载标识可以用来授权GKE POD使用Google API提供的服务(而且效果很好)。它还表示,将有一个自动创建的标识池,名为PROJECT\u ID.svc。id.goog。 关于工作负载标识联合的Docu说:“您可以使用工作负载标识池来组织和管理外部标识。” 在我按照这里所述配置了工作负载标识(并且工作正常)之后,我正在尝试检索项目中现有的工作负载标识池,我希望
-
有人知道如果有任何其他方式的认证/授权访问谷歌云存储除了服务帐户密钥,当我使用@谷歌云/存储Node.js模块从这里?我读过关于“工作负载标识联合”的文章,但是在我看来,当我使用@google-Cloud/存储库时,我不能使用这种方法。我找不到任何合适的构造函数,只有这两个: 有什么建议吗?谢谢你们
-
我目前正在使用GKE Workload Identity从GKE内部访问谷歌云平台资源。这对谷歌云存储和其他平台资源非常有效。 然而,当我试图使用GKE Workload Identity访问Google工作表时,我遇到了一个“身份验证范围不足”的问题。 当我为服务帐户生成密钥文件并在代码中使用它时,我可以手动将作用域设置为。它的工作原理与预期一样,我可以访问该表。如果我将范围更改为,我得到了与G
-
试图找出如何从GKE集群中使用存储API进行身份验证。 代码: 被记录为使用以下方法通过API进行身份验证: {@code GOOGLE_APPLICATION_Credentials}环境变量指向的凭据文件 应用程序正在使用GCP工作负载标识功能,因此应用程序(群集内)服务号注释为: 现在,调用存储帐户失败,出现以下错误: 这让我觉得工作负载标识工作不正常。我希望收到带注释的服务帐户的错误消息,
-
我最近一直在使用GKE工作负载标识特性。我想更详细地了解组件的工作原理。 GCP客户端代码(或其他语言SDK)适用于GCE元数据方法 我想现在对我来说主要的难题是验证呼叫舱的身份。最初我认为这将使用令牌评论API,但现在我不确定谷歌客户端工具如何知道使用安装到pod中的服务号令牌... 编辑后续问题: 问题1:在第2步和第3步之间,是对通过节点池上的设置GKE_metadata_服务器路由到GKE
-
我们已经为一个基于Java/Tomcat的应用程序设置了一个CloudSQL代理作为侧车容器。 下面是我们如何设置工作负载标识,以使我们的应用程序能够通过CloudSQL代理连接到CloudSQL: > 创建了云IAM服务帐户并授予其SQL客户端权限: 设置策略绑定如下: 向GKE服务帐户添加注释: 但当我们使用以下方法进行测试时: 尽管按照本页所述正确执行了所有操作,但仍然会导致: