版本“iam.cnrm.cloud.google.com/v1beta1”中的种类“IAMPolicy”没有匹配项

Question

我想使用工作负载身份访问服务帐户。

cat serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  name: rao-sa
  namespace: test

我的 yaml 文件是 policy.yaml

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-sample
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[test/rao-sa]

---

kubectl apply -f policy.yaml
error: unable to recognize "policy.yaml": no matches for kind "IAMPolicy" in version "iam.cnrm.cloud.google.com/v1beta1"

YAML 文件出现错误：版本“iam.cnrm.cloud.google.com/v1beta1”中的种类“IAMPolicy”没有匹配项

Answer 1

以下是 IAM 政策的一些资源以及如何启用 GKE 工作负载身份

https://medium.com/bluecore-engineering/the-infrastructure-triumvirate-continuous-service-and-infrastructure-delivery-with-argo-a33a3f76dc06 https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicy https://dzone.com/articles/enabling-gke-workload-identity

同时检查您的 policy.yaml 文件，我发现了一些放错位置的项目，请检查这是否有效。

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-sample
  namespace: rao-sa
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  bindings:
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[test/rao-sa]
        role: roles/iam.workloadIdentityUser

Answer 2

这是未安装config connector时的常见错误，请检查第7步。

How to enable?

gcloud container clusters update CLUSTER_NAME \
    --update-addons ConfigConnector=ENABLED