使用 helm 从 github-actions 部署到 GKE 的权限错误“container.secrets.list”

Question

我正在尝试使用我的 github 操作运行程序中的 helm 部署到我的 GKE 集群，但我遇到了权限错误。

使用谷歌云服务帐号进行身份验证

GitHub Actions CI 步骤

      - name: Install gcloud cli
        uses: google-github-actions/setup-gcloud@master
        with:
          version: latest
          project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
          service_account_email: ${{ secrets.GCLOUD_SA_EMAIL }}
          service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
          export_default_credentials: true

      - name: gcloud configure
        run: |
          gcloud config set project ${{secrets.GCLOUD_PROJECT_ID}};
          gcloud config set compute/zone ${{secrets.GCLOUD_COMPUTE_ZONE}};
          gcloud container clusters get-credentials ${{secrets.GCLOUD_CLUSTER_NAME}};

      - name: Deploy
        run: |
          ***
          helm upgrade *** ./helm \
            --install \
            --debug \
            --reuse-values \
            --set-string "$overrides"

错误

history.go:56: [debug] getting history for release blog
Error: query: failed to query with labels: secrets is forbidden: User "***" cannot list resource "secrets" in API group "" in the namespace "default": requires one of ["container.secrets.list"] permission(s).
helm.go:88: [debug] secrets is forbidden: User "***" cannot list resource "secrets" in API group "" in the namespace "default": requires one of ["container.secrets.list"] permission(s).

Answer 1

您似乎正在尝试使用 GKE viewer role 来部署代码，因此您遇到了权限问题。您可以根据您的requirement 创建所需的IAM 策略和基于角色的访问控制 (RBAC)。

您还可以使用reference 来检查 kubernetes 引擎的角色和职责。