【发布时间】:2020-06-16 14:39:31
【问题描述】:
我不得不将我的 .Net Core 应用从 Google App Engine 迁移到 Google Kubernetes Engine,因为我需要静态 IP,遗憾的是 Google App Engine 没有这个选项。
我已经成功创建了一个集群和一些 pod,但在日志中我看到了:
Unhandled exception. Grpc.Core.RpcException: Status(StatusCode=PermissionDenied, Detail="Request had insufficient authentication scopes.")
at Grpc.Core.Internal.AsyncCall`2.UnaryCall(TRequest msg)
at Grpc.Core.Calls.BlockingUnaryCall[TRequest,TResponse](CallInvocationDetails`2 call, TRequest req)
at Grpc.Core.DefaultCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
at Grpc.Core.Interceptors.InterceptingCallInvoker.<BlockingUnaryCall>b__3_0[TRequest,TResponse](TRequest req, ClientInterceptorContext`2 ctx)
at Grpc.Core.ClientBase.ClientBaseConfiguration.ClientBaseConfigurationInterceptor.BlockingUnaryCall[TRequest,TResponse](TRequest request, ClientInterceptorContext`2 context, BlockingUnaryCallContinuation`2 continuation)
at Grpc.Core.Interceptors.InterceptingCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
at Google.Cloud.Kms.V1.KeyManagementService.KeyManagementServiceClient.Decrypt(DecryptRequest request, CallOptions options)
at Google.Api.Gax.Grpc.ApiCall.GrpcCallAdapter`2.CallSync(TRequest request, CallSettings callSettings)
at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass1_0`2.<WithRetry>b__0(TRequest request, CallSettings callSettings)
at Google.Api.Gax.Grpc.ApiCall`2.<>c__DisplayClass10_0.<WithCallSettingsOverlay>b__1(TRequest req, CallSettings cs)
at Google.Api.Gax.Grpc.ApiCall`2.Sync(TRequest request, CallSettings perCallCallSettings)
at Google.Cloud.Kms.V1.KeyManagementServiceClientImpl.Decrypt(DecryptRequest request, CallSettings callSettings)
at Google.Cloud.Kms.V1.KeyManagementServiceClient.Decrypt(CryptoKeyName name, ByteString ciphertext, CallSettings callSettings)
at Neo.Services.Kms.EncryptedFileInfo.CreateReadStream() in /app/Services/Kms/EncryptedFileInfo.cs:line 81
at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load(Boolean reload)
at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at Neo.Services.Config.ConfigurationProvider.get_AppConfig() in /app/Services/Config/ConfigurationProvider.cs:line 27
at Neo.Startup.LogAppChecks() in /app/Startup.cs:line 197
at Neo.Startup.Run() in /app/Startup.cs:line 24
at Neo.Program.Main() in /app/Program.cs:line 5
我已经设法发现存在这个问题,因为我无法在 Kubernetes 中解密我的 appsettings.json 文件。它在 Google App Engine 中运行。
我的猜测是因为 GAE 已经默认设置了 GOOGLE_APPLICATION_CREDENTIALS 环境变量。
我找到了 that 文章,但它看起来像是在描述不同的东西。
如何从 Kubernetes Engine 访问 Google KMS?
@更新
我的节点池描述的输出:
config:
diskSizeGb: 100
diskType: pd-standard
imageType: COS
machineType: n1-standard-1
metadata:
disable-legacy-endpoints: 'true'
oauthScopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/trace.append
serviceAccount: default
我已使用此命令将范围添加到我的新节点池
gcloud container node-pools create your-pool-name --zone europe-west1-b --cluster
your-cluster-name --num-nodes 1 --scopes default,bigquery,cloud-platform,compute-rw,datastore,storage-full,taskqueue,userinfo-email,sql-admin
现在我得到了:
Unhandled exception. Grpc.Core.RpcException: Status(StatusCode=PermissionDenied, Detail="Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/project-name/locations/global/keyRings/webapp/cryptoKeys/appsecrets' (or it may not exist).")
at Grpc.Core.Internal.AsyncCall`2.UnaryCall(TRequest msg)
at Grpc.Core.Calls.BlockingUnaryCall[TRequest,TResponse](CallInvocationDetails`2 call, TRequest req)
at Grpc.Core.DefaultCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
at Grpc.Core.Interceptors.InterceptingCallInvoker.<BlockingUnaryCall>b__3_0[TRequest,TResponse](TRequest req, ClientInterceptorContext`2 ctx)
at Grpc.Core.ClientBase.ClientBaseConfiguration.ClientBaseConfigurationInterceptor.BlockingUnaryCall[TRequest,TResponse](TRequest request, ClientInterceptorContext`2 context, BlockingUnaryCallContinuation`2 continuation)
at Grpc.Core.Interceptors.InterceptingCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequest request)
at Google.Cloud.Kms.V1.KeyManagementService.KeyManagementServiceClient.Decrypt(DecryptRequest request, CallOptions options)
at Google.Api.Gax.Grpc.ApiCall.GrpcCallAdapter`2.CallSync(TRequest request, CallSettings callSettings)
at Google.Api.Gax.Grpc.ApiCallRetryExtensions.<>c__DisplayClass1_0`2.<WithRetry>b__0(TRequest request, CallSettings callSettings)
at Google.Api.Gax.Grpc.ApiCall`2.<>c__DisplayClass10_0.<WithCallSettingsOverlay>b__1(TRequest req, CallSettings cs)
at Google.Api.Gax.Grpc.ApiCall`2.Sync(TRequest request, CallSettings perCallCallSettings)
at Google.Cloud.Kms.V1.KeyManagementServiceClientImpl.Decrypt(DecryptRequest request, CallSettings callSettings)
at Google.Cloud.Kms.V1.KeyManagementServiceClient.Decrypt(CryptoKeyName name, ByteString ciphertext, CallSettings callSettings)
at Neo.Services.Kms.EncryptedFileInfo.CreateReadStream() in /app/Services/Kms/EncryptedFileInfo.cs:line 81
at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load(Boolean reload)
at Microsoft.Extensions.Configuration.FileConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at Neo.Services.Config.ConfigurationProvider.get_AppConfig() in /app/Services/Config/ConfigurationProvider.cs:line 27
at Neo.Startup.LogAppChecks() in /app/Startup.cs:line 197
at Neo.Startup.Run() in /app/Startup.cs:line 24
at Neo.Program.Main() in /app/Program.cs:line 5
在我将 Google KMS 解密/加密角色添加到服务帐户后,它就可以工作了!
感谢@sethvargo
现在可以使用了
【问题讨论】:
-
创建集群时,需要确保节点池具有
cloud-platformoauth 范围。更多信息:cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
标签: kubernetes .net-core google-cloud-platform google-kubernetes-engine google-cloud-kms