覆盖部署在 Kubernetes 中的 spring 引导应用程序使用的默认服务帐户
Override Default Service account used by spring boot app deployed in Kubernetes
问题陈述:
我已经部署了一个 spring 启动应用程序,它在启动时总是使用默认的计算引擎服务帐户凭据来验证应用程序,我创建了一个单独的服务帐户和密钥但无法替换默认值一。我尝试使用“serviceAccountName”字段在 deployement.yaml 中指定新的服务帐户,但仍然收到错误消息,指出服务帐户例如:“找不到 xyz”。
serviceAccountName: {{ .Values.serviceAccountName }}
那么我如何使用特定服务帐户覆盖计算引擎的默认服务帐户并在 deployment.yaml 中定义它。
如果我在应用程序代码库中添加新服务帐户的凭据,它会起作用,但这不是最佳做法,请有人帮助我解决这个问题
我的 deployment.yaml 文件的片段:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helloworld
appVersion: {{ .Values.appVersion }}
name: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
environment: {{ .Values.environment }}
spec:
containers:
- name: helloworld
image: {{ .Values.imageSha }}
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
ports:
- containerPort: 8080
env:
- name: SPRING_CONFIG_LOCATION
value: "/app/deployments/config/"
volumeMounts:
- name: application-config
mountPath: "/app/deployments/config"
readOnly: true
volumes:
- name: application-config
configMap:
name: {{ .Values.configMapName }}
items:
- key: application.properties
path: application.properties
我认为你应该使用允许从外部访问 Google Cloud 的 Workload Identity。
Workload Identity is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability. For information about alternative ways to access Google Cloud APIs from GKE, refer to the alternatives section below.
以上指南描述得很好,我认为它应该可以解决您的问题。
有关其他示例,您可以查看社区教程之一 - Using Kubernetes Workload Identity for client-server authorization。
In GKE, the Workload Identity feature allows these identities to also be associated with IAM service accounts. This allows a pod running as a Kubernetes service account to act as the associated service account for authorized access to Google APIs and to services that verify identity based on Google Cloud-specific OIDC.
两个文档都有示例,可以帮助您根据需要调整Workload Identity。
问题陈述:
我已经部署了一个 spring 启动应用程序,它在启动时总是使用默认的计算引擎服务帐户凭据来验证应用程序,我创建了一个单独的服务帐户和密钥但无法替换默认值一。我尝试使用“serviceAccountName”字段在 deployement.yaml 中指定新的服务帐户,但仍然收到错误消息,指出服务帐户例如:“找不到 xyz”。
serviceAccountName: {{ .Values.serviceAccountName }}
那么我如何使用特定服务帐户覆盖计算引擎的默认服务帐户并在 deployment.yaml 中定义它。
如果我在应用程序代码库中添加新服务帐户的凭据,它会起作用,但这不是最佳做法,请有人帮助我解决这个问题
我的 deployment.yaml 文件的片段:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helloworld
appVersion: {{ .Values.appVersion }}
name: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
environment: {{ .Values.environment }}
spec:
containers:
- name: helloworld
image: {{ .Values.imageSha }}
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
ports:
- containerPort: 8080
env:
- name: SPRING_CONFIG_LOCATION
value: "/app/deployments/config/"
volumeMounts:
- name: application-config
mountPath: "/app/deployments/config"
readOnly: true
volumes:
- name: application-config
configMap:
name: {{ .Values.configMapName }}
items:
- key: application.properties
path: application.properties
我认为你应该使用允许从外部访问 Google Cloud 的 Workload Identity。
Workload Identity is the recommended way to access Google Cloud services from applications running within GKE due to its improved security properties and manageability. For information about alternative ways to access Google Cloud APIs from GKE, refer to the alternatives section below.
以上指南描述得很好,我认为它应该可以解决您的问题。
有关其他示例,您可以查看社区教程之一 - Using Kubernetes Workload Identity for client-server authorization。
In GKE, the Workload Identity feature allows these identities to also be associated with IAM service accounts. This allows a pod running as a Kubernetes service account to act as the associated service account for authorized access to Google APIs and to services that verify identity based on Google Cloud-specific OIDC.
两个文档都有示例,可以帮助您根据需要调整Workload Identity。