我可以使用terraform在Kubernetes中部署一个GKE集群。
然后,我为Kubernetes设置了提供程序,如下所示:
provider "kubernetes" {
host = "${data.google_container_cluster.primary.endpoint}"
client_certificate = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_certificate)}"
client_key = "${base64decode(data.google_container_cluster.primary.master_auth.0.client_key)}"
cluster_ca_certificate = "${base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate)}"
}
默认情况下,
terraform与Kubernetes与用户client交互,该用户无权创建(例如)部署。因此,当我尝试使用terraform应用更改时,我收到此错误:Error: Error applying plan:
1 error(s) occurred:
* kubernetes_deployment.foo: 1 error(s) occurred:
* kubernetes_deployment.foo: Failed to create deployment: deployments.apps is forbidden: User "client" cannot create deployments.apps in the namespace "default"
我不知道现在该如何进行,应如何将此权限授予
client用户?如果将以下字段添加到提供程序,则我可以执行部署,尽管在阅读了文档之后,这些凭据似乎用于与集群的
HTTP通信,如果通过互联网进行通信则是不安全的。username = "${data.google_container_cluster.primary.master_auth.0.username}"
password = "${data.google_container_cluster.primary.master_auth.0.password}"
还有其他更好的方法吗?
最佳答案
data "google_client_config" "default" {}
provider "kubernetes" {
host = "${google_container_cluster.default.endpoint}"
token = "${data.google_client_config.default.access_token}"
cluster_ca_certificate = "${base64decode(google_container_cluster.default.master_auth.0.cluster_ca_certificate)}"
load_config_file = false
}
要么
resource "kubernetes_cluster_role_binding" "default" {
metadata {
name = "client-certificate-cluster-admin"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = "client"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}
关于kubernetes - 使用Terraform管理GKE及其部署,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/54364515/