为 Terraform 服务帐户定义 ClusterRoleBinding

Posted

技术标签:

【中文标题】为 Terraform 服务帐户定义 ClusterRoleBinding【英文标题】:Defining a ClusterRoleBinding for Terraform service account 【发布时间】:2021-11-20 08:03:45 【问题描述】:

所以我在 GCP 云控制台中有一个 GCP 服务帐户,即 Kubernetes AdminKubernetes Cluster Admin

我现在正尝试在 GKE 中为这个 terraform 服务帐户提供 ClusterRole 角色,以通过以下 terraform 配置管理所有命名空间:

data "google_service_account" "terraform" 
  project    = var.project_id
  account_id = var.terraform_sa_email


# Terraform needs to manage cluster
resource "google_project_iam_member" "terraform-gke-admin" 
  project = var.project_id
  role    = "roles/container.admin"
  member  = "serviceAccount:$data.google_service_account.terraform.email"


# Terraform needs to manage K8S RBAC
# https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#iam-rolebinding-bootstrap
resource "kubernetes_cluster_role_binding" "terraform_clusteradmin" 
  depends_on = [
    google_project_iam_member.terraform-gke-admin,
  ]

  metadata 
    name = "cluster-admin-binding-terraform"
  

  role_ref 
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  

  subject 
    api_group = "rbac.authorization.k8s.io"
    kind      = "User"
    name      = data.google_service_account.terraform.email
  

  # must create a binding on unique ID of SA too
  subject 
    api_group = "rbac.authorization.k8s.io"
    kind      = "User"
    name      = data.google_service_account.terraform.unique_id

但是,这总是返回以下错误:

Error: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "client" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
│ 
│   with module.kubernetes[0].kubernetes_cluster_role_binding.terraform_clusteradmin,
│   on kubernetes/terraform_role.tf line 15, in resource "kubernetes_cluster_role_binding" "terraform_clusteradmin":
│   15: resource "kubernetes_cluster_role_binding" "terraform_clusteradmin"

你知道这里出了什么问题吗? 这可能与使用 Google Groups RBAC 有关吗?

  authenticator_groups_config 
    security_group = "gke-security-groups@$var.acl_group_domain"

【问题讨论】:

【参考方案1】: 
data "google_client_config" "provider" 
provider "kubernetes" 
  cluster_ca_certificate = module.google.cluster_ca_certificate
  host                   = module.google.cluster_endpoint
  token                  = data.google_client_config.provider.access_token

【讨论】:

以上是关于为 Terraform 服务帐户定义 ClusterRoleBinding的主要内容,如果未能解决你的问题,请参考以下文章

Terraform 应用服务不会连接到存储帐户

terraform GCE 服务帐户节

使用 terraform 如何创建一个跨多个项目使用的服务帐户?

从另一个 aws 帐户运行 terraform

如何通过 terraform 使用服务帐户创建谷歌云 pubsub 订阅?

如何在 terraform 中正确创建具有角色的 gcp 服务帐户