本文說明如何設定及使用 Workload Identity 叢集驗證,在裸機上執行 Google Distributed Cloud (僅限軟體)。Workload Identity 叢集驗證會使用短期權杖和 Workload Identity 聯盟,建立及保護叢集安全,而非使用服務帳戶金鑰。服務帳戶的短期憑證採用 OAuth 2.0 存取權杖的形式。存取權杖預設會在 1 小時後失效,但映像檔提取權杖除外,這類權杖會在 12 小時後失效。
只有在建立執行 1.30 以上版本的新叢集時,才能使用 Workload Identity 叢集驗證。更新或升級期間,您無法將現有叢集設定為使用 Workload Identity 叢集驗證。
相較之下,金鑰模式是建立及保護叢集的標準方法,會使用下載的服務帳戶金鑰。建立自行管理的叢集 (管理、混合或獨立) 時,請指定下載金鑰的路徑。然後,這些金鑰會以密鑰的形式儲存在叢集和任何受管理的使用者叢集中。服務帳戶金鑰預設不會過期,如果管理不當就會帶來安全風險。
相較於使用服務帳戶金鑰,Workload Identity 叢集驗證有兩大優點:
提升安全性:如未妥善管理服務帳戶金鑰,可能會產生安全性風險,OAuth 2.0 憑證和 Workload Identity 聯盟是服務帳戶金鑰的最佳替代方案。如要進一步瞭解服務帳戶權杖,請參閱「短期服務帳戶憑證」。如要進一步瞭解 Workload Identity Federation,請參閱「 Workload Identity Federation」。
減少維護作業:服務帳戶金鑰需要更多維護作業。 定期輪替及保護這些金鑰可能會造成龐大的管理負擔。
事前準備
在接下來的幾節中,您將建立服務帳戶,並授予 Workload Identity 叢集驗證所需的角色。本文中的設定說明並非取代「設定 Google Cloud 資源」中的說明,而是標準 Google Distributed Cloud 軟體專用安裝作業的必要先決條件。Workload Identity 叢集驗證所需的服務帳戶,與「設定 Google Cloud 資源」一文所述的服務帳戶類似,但名稱獨一無二,因此不會干擾使用預設服務帳戶金鑰的叢集。
本文適用於負責設定、監控及管理基礎技術架構生命週期的管理員、架構師和營運人員。如要進一步瞭解我們在Google Cloud 內容中提及的常見角色和範例工作,請參閱「常見的 GKE Enterprise 使用者角色和工作」。
下表說明 Workload Identity 叢集驗證所需的服務帳戶:
服務帳戶 | 目的 | 角色 |
---|---|---|
ADMIN_SA |
您可以使用這個服務帳戶產生權杖。每個權杖都具有與服務帳戶角色相關聯的權限。 |
roles/gkehub.admin roles/logging.admin roles/monitoring.admin roles/monitoring.dashboardEditor roles/iam.serviceAccountAdmin roles/iam.serviceAccountTokenCreator
|
baremetal-controller |
Connect 代理程式會使用這個服務帳戶來維持叢集和 Google Cloud 之間的連線,並向 機群註冊叢集。這個服務帳戶也會為 baremetal-gcr 服務帳戶更新權杖。
|
roles/gkehub.admin roles/monitoring.dashboardEditor roles/serviceusage.serviceUsageViewer
|
baremetal-cloud-ops |
Stackdriver 代理程式會使用這個服務帳戶,將叢集的記錄檔和指標匯出至 Cloud Logging 和 Cloud Monitoring。 |
roles/logging.logWriter roles/monitoring.metricWriter roles/stackdriver.resourceMetadata.writer roles/opsconfigmonitoring.resourceMetadata.writer roles/monitoring.dashboardEditor roles/monitoring.viewer roles/serviceusage.serviceUsageViewer roles/kubernetesmetadata.publisher
|
baremetal-gcr |
Google Distributed Cloud 會使用這個服務帳戶,從 Artifact Registry 下載容器映像檔。 | 無 |
建立及設定服務帳戶,以進行 Workload Identity 叢集驗證
以下章節包含建立必要服務帳戶的說明,並介紹如何授予這些帳戶 Workload Identity 叢集驗證所需的角色。如需服務帳戶和必要角色的清單,請參閱前一節的表格。
建立服務帳戶
如要建立 Workload Identity 叢集驗證的服務帳戶,請按照下列步驟操作:
在管理工作站上登入 Google Cloud CLI:
gcloud auth login
(選用) 建立管理服務帳戶:
ADMIN_SA
服務帳戶的名稱是任意的。 如果現有服務帳戶具備前一節表格中列出的角色,您甚至可以使用該帳戶,但這不建議,因為這違反了最低權限原則。gcloud iam service-accounts create ADMIN_SA \ --project=PROJECT_ID
將
PROJECT_ID
替換為專案 ID。Google Cloud為 Workload Identity 叢集驗證建立標準服務帳戶:
Workload Identity 叢集驗證的標準服務帳戶具有預先決定的名稱,您可以視需要自訂這些名稱。
gcloud iam service-accounts create baremetal-controller \ --project=PROJECT_ID gcloud iam service-accounts create baremetal-cloud-ops \ --project=PROJECT_ID gcloud iam service-accounts create baremetal-gcr \ --project=PROJECT_ID
將
PROJECT_ID
替換為專案 ID。Google Cloud
為服務帳戶新增 Identity and Access Management 政策繫結
為
ADMIN_SA
服務帳戶新增必要角色的 IAM 政策繫結:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/gkehub.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/logging.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountAdmin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
為
baremetal-controller
服務帳戶新增必要角色的 IAM 政策繫結:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/gkehub.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/serviceusage.serviceUsageViewer
為
baremetal-cloud-ops
服務帳戶新增必要角色的 IAM 政策繫結:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/logging.logWriter gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.metricWriter gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/opsconfigmonitoring.resourceMetadata.writer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/stackdriver.resourceMetadata.writer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.viewer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/serviceusage.serviceUsageViewer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/kubernetesmetadata.publisher
授予
baremetal-controller
服務帳戶權限,代表baremetal-gcr
服務帳戶產生存取權杖:gcloud iam service-accounts add-iam-policy-binding \ baremetal-gcr@PROJECT_ID.iam.gserviceaccount.com \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
為叢集設定 Workload Identity 聯盟
如要透過 GKE 適用的工作負載身分聯盟提供存取權,請建立 IAM 允許政策,將特定Google Cloud 資源的存取權授予與應用程式身分相應的主體。 Google Cloud 在此情況下,Workload Identity Federation 會授予叢集中的特定運算子存取權。如要進一步瞭解 GKE 適用的 Workload Identity Federation,請參閱 IAM 說明文件中的「Workload Identity Federation」。
為叢集運算子新增 IAM 政策繫結
下列指令會授予 anthos-cluster-operator
Kubernetes 服務帳戶模擬 baremetal-controller
服務帳戶的能力,並代表叢集與 Google Cloud 資源互動:
針對設定為 Workload Identity 叢集驗證 (或計畫使用 Workload Identity 叢集驗證) 的每個叢集 (包括啟動程序叢集),在叢集中授予
anthos-cluster-operator
模擬baremetal-controller
服務帳戶的權限:在下列指令中,
principalSet
包含工作負載身分識別集區和 Kubernetes 服務帳戶anthos-cluster-operator
,位於kube-system
命名空間中。gcloud iam service-accounts add-iam-policy-binding \ baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/anthos-cluster-operator \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID
更改下列內容:
驗證
baremetal-controller
服務帳戶的政策繫結:gcloud iam service-accounts get-iam-policy \ baremetal-controller@PROJECT_ID.iam.gserviceaccount.com
回覆內容應如下所示:
bindings: - members: - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/anthos-cluster-operator - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/anthos-cluster-operator - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/anthos-cluster-operator role: roles/iam.workloadIdentityUser etag: BwYoN3QLig0= version: 1
為 Google Cloud Observability 運算子新增 IAM 政策繫結
下列指令會授予下列 Google Cloud Observability Kubernetes 服務帳戶模擬 baremetal-cloud-ops
服務帳戶的能力,並代表叢集與 Google Cloud 資源互動:
cloud-audit-logging
gke-metrics-agent
kubestore-collector
metadata-agent
stackdriver-log-forwarder
針對設定 Workload Identity 叢集驗證 (或打算使用 Workload Identity 叢集驗證) 的每個叢集 (包括啟動程序叢集),授予叢集中的 Google Cloud Observability 運算子模擬
baremetal-cloud-ops
服務帳戶的能力:在下列每個指令中,
principalSet
包含工作負載身分集區和 Kubernetes 服務帳戶,例如kube-system
命名空間中的cloud-audit-logging
。gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/cloud-audit-logging \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/gke-metrics-agent \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/kubestore-collector \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/metadata-agent \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/stackdriver-log-forwarder \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID
驗證
baremetal-cloud-ops
服務帳戶的政策繫結:gcloud iam service-accounts get-iam-policy \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com
回覆內容應如下所示:
bindings: - members: - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/stackdriver-log-forwarder - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/stackdriver-log-forwarder - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/stackdriver-log-forwarder role: roles/iam.workloadIdentityUser etag: BwYhT4gL-dY= version: 1
叢集設定
使用 Workload Identity 叢集驗證的叢集,最明顯的叢集設定差異在於您不必指定下載的服務帳戶金鑰路徑。
在設定檔中填寫叢集設定時,請將憑證區段中的服務帳戶金鑰路徑留空,如下列範例所示:
gcrKeyPath: sshPrivateKeyPath: /home/USERNAME/.ssh/id_rsa gkeConnectAgentServiceAccountKeyPath: gkeConnectRegisterServiceAccountKeyPath: cloudOperationsServiceAccountKeyPath: --- apiVersion: v1 kind: Namespace metadata: name: cluster-CLUSTER_NAME --- apiVersion: baremetal.cluster.gke.io/v1 kind: Cluster metadata: name: CLUSTER_NAME namespace: cluster-CLUSTER_NAME spec: type: admin profile: default anthosBareMetalVersion: 1.30.0-gke.1930 ...
(選用) 為 Workload Identity 叢集驗證服務帳戶設定自訂名稱:
指定自訂名稱可讓您使用現有的服務帳戶。請確保您指定的自訂服務帳戶名稱互不相同。
apiVersion: baremetal.cluster.gke.io/v1 kind: Cluster metadata: name: CLUSTER_NAME namespace: cluster-CLUSTER_NAME annotations: baremetal.cluster.gke.io/controller-service-account: "CUSTOM_CONTROLLER_GSA" baremetal.cluster.gke.io/cloud-ops-service-account: "CUSTOM_CLOUD_OPS_GSA" baremetal.cluster.gke.io/gcr-service-account: "CUSTOM_AR_GSA" spec: type: admin profile: default anthosBareMetalVersion: 1.30.0-gke.1930 ...
更改下列內容:
CUSTOM_CONTROLLER_GSA
:Connect 代理程式使用的服務帳戶電子郵件名稱,用於維護叢集與 Google Cloud之間的連線,以及註冊叢集。:Stackdriver 代理程式用來將叢集的記錄檔和指標匯出至 Cloud Logging 和 Cloud Monitoring 的服務帳戶電子郵件名稱。
CUSTOM_CLOUD_OPS_GSA
CUSTOM_AR_GSA
:Google Distributed Cloud 用來從 Artifact Registry 下載容器映像檔的服務帳戶電子郵件名稱。
叢集作業
準備好建立、升級或刪除使用 Workload Identity 叢集驗證的叢集時,請按照下列步驟操作:
登入 Google Cloud CLI:
gcloud auth login
在管理工作站上,為
ADMIN_SA
服務帳戶建立並下載金鑰:gcloud iam service-accounts keys create TMP_KEY_FILE_PATH \ --iam-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com
將
TMP_KEY_FILE_PATH
替換為下載的金鑰檔案路徑 (包括檔案名稱)。使用
ADMIN_SA
服務帳戶授權存取 Google Cloud :gcloud auth activate-service-account ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --key-file=TMP_KEY_FILE_PATH
刪除下載的 JSON 金鑰檔案:
rm TMP_KEY_FILE_PATH
在管理工作站上,建立
GCP_ACCESS_TOKEN
環境變數,並將值設為ADMIN_SA
服務帳戶建立的存取權杖:export GCP_ACCESS_TOKEN=$(gcloud auth print-access-token \ --impersonate-service-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)
根據預設,存取權杖的效期為 1 小時。
確認權杖是由
ADMIN_SA
服務帳戶產生,且到期時間正確:curl "https://oauth2.googleapis.com/tokeninfo?access_token=$GCP_ACCESS_TOKEN"
回應應包含類似下列的行:
... "expires_in": "3582", "email": "ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)", ...
到期值以秒為單位,且應小於
3600
,表示權杖會在不到一小時內到期。執行
bmctl
指令來建立、升級或刪除叢集:如果
bmctl
偵測到已設定GCP_ACCESS_TOKEN
環境變數,就會執行權杖驗證。如果權杖有效,bmctl
會將其用於叢集作業。如果叢集使用 Workload Identity 叢集驗證,下列指令必須將
GCP_ACCESS_TOKEN
環境變數設為有效的有效存取權杖:bmctl create cluster -c CLUSTER_NAME
bmctl reset cluster -c CLUSTER_NAME
bmctl upgrade cluster -c CLUSTER_NAME
限制
Workload Identity 叢集驗證功能目前為預先發布版,因此不支援下列功能:
- 使用 Proxy 伺服器
- VPC Service Controls
- 更新現有的金鑰模式叢集,以使用 Workload Identity 叢集驗證