kubernetes - GKE:配置连接器的服务帐户缺少权限

我试图在我的GKE项目上启动并运行Config Connector，并且正在关注this getting started guide.
到目前为止，我已经启用了适当的API:

> gcloud services enable cloudresourcemanager.googleapis.com

创建了我的服务帐户并添加了策略绑定(bind):

> gcloud iam service-accounts create cnrm-system
> gcloud iam service-accounts add-iam-policy-binding [email protected] --member="serviceAccount:test-connector.svc.id.goog[cnrm-system/cnrm-controller-manager]" --role="roles/iam.workloadIdentityUser"
> kubectl wait -n cnrm-system --for=condition=Ready pod --all

注释了我的命名空间:

> kubectl annotate namespace default cnrm.cloud.google.com/project-id=test-connector

然后在示例中尝试应用Spanner yaml:

~ >>> kubectl describe spannerinstance spannerinstance-sample
Name:         spannerinstance-sample
Namespace:    default
Labels:       label-one=value-one
Annotations:  cnrm.cloud.google.com/management-conflict-prevention-policy: resource
              cnrm.cloud.google.com/project-id: test-connector
API Version:  spanner.cnrm.cloud.google.com/v1beta1
Kind:         SpannerInstance
Metadata:
  Creation Timestamp:  2020-09-18T18:44:41Z
  Generation:          2
  Resource Version:    5805305
  Self Link:           /apis/spanner.cnrm.cloud.google.com/v1beta1/namespaces/default/spannerinstances/spannerinstance-sample
  UID:
Spec:
  Config:        northamerica-northeast1-a
  Display Name:  Spanner Instance Sample
  Num Nodes:     1
Status:
  Conditions:
    Last Transition Time:  2020-09-18T18:44:41Z
    Message:               Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.
    Reason:                UpdateFailed
    Status:                False
    Type:                  Ready
Events:
  Type     Reason        Age                      From                        Message
  ----     ------        ----                     ----                        -------
  Warning  UpdateFailed  6m41s        spannerinstance-controller  Update call failed: error fetching live state: error reading underlying resource: Error when reading or editing SpannerInstance "test-connector/spannerinstance-sample": googleapi: Error 403: Request had insufficient authentication scopes.

我不太确定这是怎么回事，因为我的cnrm服务帐户拥有群集所在项目的所有权，并且启用了指南中列出的API。
CC容器本身看起来很健康:

~ >>> kubectl wait -n cnrm-system --for=condition=Ready pod --all
pod/cnrm-controller-manager-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-58cb6c9fc-lf9nt condition met
pod/cnrm-webhook-manager-7658bbb9-kxp4g condition met

任何对此的见解将不胜感激!

最佳答案

根据您发布的错误消息，我应该认为这可能是GKE scopes中的错误。
要GKE访问其他GCP API，必须在创建集群时允许此访问。您可以使用以下命令检查已启用的范围:gcloud container clusters describe <cluster-name>并找到oauthScopes的结果。
Here，您可以看到Cloud Spanner的作用域名称，必须将作用域https://www.googleapis.com/auth/cloud-platform启用为最低权限。
要在GUI中进行验证，您可以在以下位置查看许可权:Kubernetes Engine> <Cluster-name>>展开permissions部分并查找Cloud Platform

关于kubernetes - GKE:配置连接器的服务帐户缺少权限，我们在Stack Overflow上找到一个类似的问题：https://stackoverflow.com/questions/64010131/