Workload Identity 叢集驗證

本文說明如何設定及使用 Workload Identity 叢集驗證,在裸機上執行 Google Distributed Cloud (僅限軟體)。Workload Identity 叢集驗證會使用短期權杖和 Workload Identity 聯盟,建立及保護叢集安全,而非使用服務帳戶金鑰。服務帳戶的短期憑證採用 OAuth 2.0 存取權杖的形式。存取權杖預設會在 1 小時後失效,但映像檔提取權杖除外,這類權杖會在 12 小時後失效。

只有在建立執行 1.30 以上版本的新叢集時,才能使用 Workload Identity 叢集驗證。更新或升級期間,您無法將現有叢集設定為使用 Workload Identity 叢集驗證。

相較之下,金鑰模式是建立及保護叢集的標準方法,會使用下載的服務帳戶金鑰。建立自行管理的叢集 (管理、混合或獨立) 時,請指定下載金鑰的路徑。然後,這些金鑰會以密鑰的形式儲存在叢集和任何受管理的使用者叢集中。服務帳戶金鑰預設不會過期,如果管理不當就會帶來安全風險。

相較於使用服務帳戶金鑰,Workload Identity 叢集驗證有兩大優點:

  • 提升安全性:如未妥善管理服務帳戶金鑰,可能會產生安全性風險,OAuth 2.0 憑證和 Workload Identity 聯盟是服務帳戶金鑰的最佳替代方案。如要進一步瞭解服務帳戶權杖,請參閱「短期服務帳戶憑證」。如要進一步瞭解 Workload Identity Federation,請參閱「 Workload Identity Federation」。

  • 減少維護作業:服務帳戶金鑰需要更多維護作業。 定期輪替及保護這些金鑰可能會造成龐大的管理負擔。

這項功能目前為預先發布版,因此有部分限制

事前準備

在接下來的幾節中,您將建立服務帳戶,並授予 Workload Identity 叢集驗證所需的角色。本文中的設定說明並非取代「設定 Google Cloud 資源」中的說明,而是標準 Google Distributed Cloud 軟體專用安裝作業的必要先決條件。Workload Identity 叢集驗證所需的服務帳戶,與「設定 Google Cloud 資源」一文所述的服務帳戶類似,但名稱獨一無二,因此不會干擾使用預設服務帳戶金鑰的叢集。

本文適用於負責設定、監控及管理基礎技術架構生命週期的管理員、架構師和營運人員。如要進一步瞭解我們在Google Cloud 內容中提及的常見角色和範例工作,請參閱「常見的 GKE Enterprise 使用者角色和工作」。

下表說明 Workload Identity 叢集驗證所需的服務帳戶:

服務帳戶 目的 角色
ADMIN_SA 您可以使用這個服務帳戶產生權杖。每個權杖都具有與服務帳戶角色相關聯的權限。 roles/gkehub.admin
roles/logging.admin
roles/monitoring.admin
roles/monitoring.dashboardEditor
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountTokenCreator
baremetal-controller Connect 代理程式會使用這個服務帳戶來維持叢集和 Google Cloud 之間的連線,並向 機群註冊叢集。這個服務帳戶也會為 baremetal-gcr 服務帳戶更新權杖。 roles/gkehub.admin
roles/monitoring.dashboardEditor
roles/serviceusage.serviceUsageViewer
baremetal-cloud-ops Stackdriver 代理程式會使用這個服務帳戶,將叢集的記錄檔和指標匯出至 Cloud LoggingCloud Monitoring roles/logging.logWriter
roles/monitoring.metricWriter
roles/stackdriver.resourceMetadata.writer
roles/opsconfigmonitoring.resourceMetadata.writer
roles/monitoring.dashboardEditor
roles/monitoring.viewer
roles/serviceusage.serviceUsageViewer
roles/kubernetesmetadata.publisher
baremetal-gcr Google Distributed Cloud 會使用這個服務帳戶,從 Artifact Registry 下載容器映像檔。

建立及設定服務帳戶,以進行 Workload Identity 叢集驗證

以下章節包含建立必要服務帳戶的說明,並介紹如何授予這些帳戶 Workload Identity 叢集驗證所需的角色。如需服務帳戶和必要角色的清單,請參閱前一節的表格。

建立服務帳戶

如要建立 Workload Identity 叢集驗證的服務帳戶,請按照下列步驟操作:

  1. 在管理工作站上登入 Google Cloud CLI:

    gcloud auth login
    
  2. (選用) 建立管理服務帳戶:

    ADMIN_SA 服務帳戶的名稱是任意的。 如果現有服務帳戶具備前一節表格中列出的角色,您甚至可以使用該帳戶,但這不建議,因為這違反了最低權限原則。

    gcloud iam service-accounts create ADMIN_SA \
        --project=PROJECT_ID
    

    PROJECT_ID 替換為專案 ID。Google Cloud

  3. 為 Workload Identity 叢集驗證建立標準服務帳戶:

    Workload Identity 叢集驗證的標準服務帳戶具有預先決定的名稱,您可以視需要自訂這些名稱。

    gcloud iam service-accounts create baremetal-controller \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create baremetal-cloud-ops \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create baremetal-gcr \
        --project=PROJECT_ID
    

    PROJECT_ID 替換為專案 ID。Google Cloud

為服務帳戶新增 Identity and Access Management 政策繫結

  1. ADMIN_SA 服務帳戶新增必要角色的 IAM 政策繫結:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/gkehub.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/logging.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountAdmin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountTokenCreator
    
  2. baremetal-controller 服務帳戶新增必要角色的 IAM 政策繫結:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/gkehub.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/serviceusage.serviceUsageViewer
    
  3. baremetal-cloud-ops 服務帳戶新增必要角色的 IAM 政策繫結:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/logging.logWriter
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.metricWriter
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/opsconfigmonitoring.resourceMetadata.writer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/stackdriver.resourceMetadata.writer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.viewer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/serviceusage.serviceUsageViewer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/kubernetesmetadata.publisher
    
  4. 授予 baremetal-controller 服務帳戶權限,代表 baremetal-gcr 服務帳戶產生存取權杖:

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-gcr@PROJECT_ID.iam.gserviceaccount.com \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountTokenCreator
    

為叢集設定 Workload Identity 聯盟

如要透過 GKE 適用的工作負載身分聯盟提供存取權,請建立 IAM 允許政策,將特定Google Cloud 資源的存取權授予與應用程式身分相應的主體。 Google Cloud 在此情況下,Workload Identity Federation 會授予叢集中的特定運算子存取權。如要進一步瞭解 GKE 適用的 Workload Identity Federation,請參閱 IAM 說明文件中的「Workload Identity Federation」。

為叢集運算子新增 IAM 政策繫結

下列指令會授予 anthos-cluster-operator Kubernetes 服務帳戶模擬 baremetal-controller 服務帳戶的能力,並代表叢集與 Google Cloud 資源互動:

  1. 針對設定為 Workload Identity 叢集驗證 (或計畫使用 Workload Identity 叢集驗證) 的每個叢集 (包括啟動程序叢集),在叢集中授予 anthos-cluster-operator 模擬 baremetal-controller 服務帳戶的權限:

    在下列指令中,principalSet 包含工作負載身分識別集區和 Kubernetes 服務帳戶 anthos-cluster-operator,位於 kube-system 命名空間中。

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/anthos-cluster-operator \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    

    更改下列內容:

    • PROJECT_NUM:系統為專案自動產生的專屬 ID

    • REGION:叢集的機群成員位置,預設為 global。詳情請參閱「車隊成員位置」。

    • CLUSTER_NAME:叢集名稱。預設啟動叢集名稱為 bmctl-MACHINE_NAME

  2. 驗證 baremetal-controller 服務帳戶的政策繫結:

    gcloud iam service-accounts get-iam-policy \
        baremetal-controller@PROJECT_ID.iam.gserviceaccount.com
    

    回覆內容應如下所示:

    bindings:
    - members:
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/anthos-cluster-operator
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/anthos-cluster-operator
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/anthos-cluster-operator
      role: roles/iam.workloadIdentityUser
    etag: BwYoN3QLig0=
    version: 1
    

為 Google Cloud Observability 運算子新增 IAM 政策繫結

下列指令會授予下列 Google Cloud Observability Kubernetes 服務帳戶模擬 baremetal-cloud-ops 服務帳戶的能力,並代表叢集與 Google Cloud 資源互動:

  • cloud-audit-logging
  • gke-metrics-agent
  • kubestore-collector
  • metadata-agent
  • stackdriver-log-forwarder
  1. 針對設定 Workload Identity 叢集驗證 (或打算使用 Workload Identity 叢集驗證) 的每個叢集 (包括啟動程序叢集),授予叢集中的 Google Cloud Observability 運算子模擬 baremetal-cloud-ops 服務帳戶的能力:

    在下列每個指令中,principalSet 包含工作負載身分集區和 Kubernetes 服務帳戶,例如 kube-system 命名空間中的 cloud-audit-logging

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/cloud-audit-logging \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/gke-metrics-agent \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/kubestore-collector \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/metadata-agent \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/stackdriver-log-forwarder \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
  2. 驗證 baremetal-cloud-ops 服務帳戶的政策繫結:

    gcloud iam service-accounts get-iam-policy \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com
    

    回覆內容應如下所示:

    bindings:
    - members:
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/stackdriver-log-forwarder
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/stackdriver-log-forwarder
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/stackdriver-log-forwarder
      role: roles/iam.workloadIdentityUser
    etag: BwYhT4gL-dY=
    version: 1
    

叢集設定

使用 Workload Identity 叢集驗證的叢集,最明顯的叢集設定差異在於您不必指定下載的服務帳戶金鑰路徑。

  1. 在設定檔中填寫叢集設定時,請將憑證區段中的服務帳戶金鑰路徑留空,如下列範例所示:

    gcrKeyPath:
    sshPrivateKeyPath: /home/USERNAME/.ssh/id_rsa
    gkeConnectAgentServiceAccountKeyPath:
    gkeConnectRegisterServiceAccountKeyPath:
    cloudOperationsServiceAccountKeyPath:
    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      name: cluster-CLUSTER_NAME
    ---
    apiVersion: baremetal.cluster.gke.io/v1
    kind: Cluster
    metadata:
      name: CLUSTER_NAME
      namespace: cluster-CLUSTER_NAME
    spec:
      type: admin
      profile: default
      anthosBareMetalVersion: 1.30.0-gke.1930
      ...
    
  2. (選用) 為 Workload Identity 叢集驗證服務帳戶設定自訂名稱:

    指定自訂名稱可讓您使用現有的服務帳戶。請確保您指定的自訂服務帳戶名稱互不相同。

    apiVersion: baremetal.cluster.gke.io/v1
    kind: Cluster
    metadata:
      name: CLUSTER_NAME
      namespace: cluster-CLUSTER_NAME
      annotations:
        baremetal.cluster.gke.io/controller-service-account: "CUSTOM_CONTROLLER_GSA"
        baremetal.cluster.gke.io/cloud-ops-service-account: "CUSTOM_CLOUD_OPS_GSA"
        baremetal.cluster.gke.io/gcr-service-account: "CUSTOM_AR_GSA"
    spec:
      type: admin
      profile: default
      anthosBareMetalVersion: 1.30.0-gke.1930
        ...
    

    更改下列內容:

    • CUSTOM_CONTROLLER_GSA:Connect 代理程式使用的服務帳戶電子郵件名稱,用於維護叢集與 Google Cloud之間的連線,以及註冊叢集。

    • :Stackdriver 代理程式用來將叢集的記錄檔和指標匯出至 Cloud Logging 和 Cloud Monitoring 的服務帳戶電子郵件名稱。CUSTOM_CLOUD_OPS_GSA

    • CUSTOM_AR_GSA:Google Distributed Cloud 用來從 Artifact Registry 下載容器映像檔的服務帳戶電子郵件名稱。

叢集作業

準備好建立、升級或刪除使用 Workload Identity 叢集驗證的叢集時,請按照下列步驟操作:

  1. 登入 Google Cloud CLI:

    gcloud auth login
    
  2. 在管理工作站上,為 ADMIN_SA 服務帳戶建立並下載金鑰:

    gcloud iam service-accounts keys create TMP_KEY_FILE_PATH \
        --iam-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com
    

    TMP_KEY_FILE_PATH 替換為下載的金鑰檔案路徑 (包括檔案名稱)。

  3. 使用ADMIN_SA服務帳戶授權存取 Google Cloud :

    gcloud auth activate-service-account ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --key-file=TMP_KEY_FILE_PATH
    
  4. 刪除下載的 JSON 金鑰檔案:

    rm TMP_KEY_FILE_PATH
    
  5. 在管理工作站上,建立 GCP_ACCESS_TOKEN 環境變數,並將值設為 ADMIN_SA 服務帳戶建立的存取權杖:

    export GCP_ACCESS_TOKEN=$(gcloud auth print-access-token \
        --impersonate-service-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)
    

    根據預設,存取權杖的效期為 1 小時。

  6. 確認權杖是由ADMIN_SA服務帳戶產生,且到期時間正確:

    curl "https://oauth2.googleapis.com/tokeninfo?access_token=$GCP_ACCESS_TOKEN"
    

    回應應包含類似下列的行:

    ...
    "expires_in": "3582",
    "email": "ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)",
    ...
    

    到期值以秒為單位,且應小於 3600,表示權杖會在不到一小時內到期。

  7. 執行 bmctl 指令來建立、升級或刪除叢集:

    如果 bmctl 偵測到已設定 GCP_ACCESS_TOKEN 環境變數,就會執行權杖驗證。如果權杖有效,bmctl 會將其用於叢集作業。

    如果叢集使用 Workload Identity 叢集驗證,下列指令必須將 GCP_ACCESS_TOKEN 環境變數設為有效的有效存取權杖:

    • bmctl create cluster -c CLUSTER_NAME
    • bmctl reset cluster -c CLUSTER_NAME
    • bmctl upgrade cluster -c CLUSTER_NAME

限制

Workload Identity 叢集驗證功能目前為預先發布版,因此不支援下列功能:

  • 使用 Proxy 伺服器
  • VPC Service Controls
  • 更新現有的金鑰模式叢集,以使用 Workload Identity 叢集驗證

後續步驟