Kubernetes 无法在GKE上使用BackendConfig
我有一个可以部署到kubernetes(Google kubernetes引擎)的应用程序,我正在尝试向其中添加Google的CDN。为此,我添加了一个BackendConfig。但是当我的gitlab管道尝试应用它时,它返回以下错误 $kubectl apply-f backend-config.yaml 服务器错误(禁止):检索当前配置时出错: Resource:“cloud.google.com/v1beta1,Resource=backendconfigs”,GroupVersionKind:“cloud.google.com/v1beta1,Kind=BackendConfig” 我强烈怀疑正在运行管道的帐户没有足够的权限访问后端配置。作为k8s和gke的新手,我不知道如何解决这个问题。尤其是我找不到这需要什么许可 编辑 我在管道中添加了一个Kubernetes 无法在GKE上使用BackendConfig,kubernetes,gitlab,google-kubernetes-engine,Kubernetes,Gitlab,Google Kubernetes Engine,我有一个可以部署到kubernetes(Google kubernetes引擎)的应用程序,我正在尝试向其中添加Google的CDN。为此,我添加了一个BackendConfig。但是当我的gitlab管道尝试应用它时,它返回以下错误 $kubectl apply-f backend-config.yaml 服务器错误(禁止):检索当前配置时出错: Resource:“cloud.google.com/v1beta1,Resource=backendconfigs”,GroupVersionKi
kubectl get backendconfigs
,但失败了,出现了相同的错误。在我的gcloudsdk环境中运行它时,使用相同的命令
注意,集群由Gitlab管理,并使用RBAC。我的理解是gitlab使用edit
角色在k8s中为每个命名空间创建服务帐户
编辑2
根据Arghya的回答添加了ClusterRole
和ClusterRoleBinding
输出$kubectl获得crd
NAME CREATED AT
backendconfigs.cloud.google.com 2020-01-09T15:37:27Z
capacityrequests.internal.autoscaling.k8s.io 2020-04-28T11:15:26Z
certificaterequests.cert-manager.io 2020-01-15T06:53:47Z
certificates.cert-manager.io 2020-01-15T06:53:48Z
challenges.acme.cert-manager.io 2020-01-15T06:53:48Z
challenges.certmanager.k8s.io 2020-01-09T15:47:01Z
clusterissuers.cert-manager.io 2020-01-15T06:53:48Z
clusterissuers.certmanager.k8s.io 2020-01-09T15:47:01Z
issuers.cert-manager.io 2020-01-15T06:53:48Z
issuers.certmanager.k8s.io 2020-01-09T15:47:01Z
managedcertificates.networking.gke.io 2020-01-09T15:37:53Z
orders.acme.cert-manager.io 2020-01-15T06:53:48Z
orders.certmanager.k8s.io 2020-01-09T15:47:01Z
scalingpolicies.scalingpolicy.kope.io 2020-01-09T15:37:53Z
updateinfos.nodemanagement.gke.io 2020-01-09T15:37:53Z
kubectl Descripte crd backendconfigs.cloud.google.com的输出
Name: backendconfigs.cloud.google.com
Namespace:
Labels: <none>
Annotations: <none>
API Version: apiextensions.k8s.io/v1beta1
Kind: CustomResourceDefinition
Metadata:
Creation Timestamp: 2020-01-09T15:37:27Z
Generation: 1
Resource Version: 198
Self Link: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/backendconfigs.cloud.google.com
UID: f0bc780a-32f5-11ea-b7bd-42010aa40111
Spec:
Conversion:
Strategy: None
Group: cloud.google.com
Names:
Kind: BackendConfig
List Kind: BackendConfigList
Plural: backendconfigs
Singular: backendconfig
Scope: Namespaced
Validation:
Open APIV 3 Schema:
Properties:
API Version:
Description: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
Type: string
Kind:
Description: Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
Type: string
Metadata:
Type: object
Spec:
Description: BackendConfigSpec is the spec for a BackendConfig resource
Properties:
Cdn:
Description: CDNConfig contains configuration for CDN-enabled backends.
Properties:
Cache Policy:
Description: CacheKeyPolicy contains configuration for how requests to a CDN-enabled backend are cached.
Properties:
Include Host:
Description: If true, requests to different hosts will be cached separately.
Type: boolean
Include Protocol:
Description: If true, http and https requests will be cached separately.
Type: boolean
Include Query String:
Description: If true, query string parameters are included in the cache key according to QueryStringBlacklist and QueryStringWhitelist. If neither is set, the entire query string is included and if false the entire query string is excluded.
Type: boolean
Query String Blacklist:
Description: Names of query strint parameters to exclude from cache keys. All other parameters are included. Either specify QueryStringBlacklist or QueryStringWhitelist, but not both.
Items:
Type: string
Type: array
Query String Whitelist:
Description: Names of query string parameters to include in cache keys. All other parameters are excluded. Either specify QueryStringBlacklist or QueryStringWhitelist, but not both.
Items:
Type: string
Type: array
Type: object
Enabled:
Type: boolean
Required:
enabled
Type: object
Connection Draining:
Description: ConnectionDrainingConfig contains configuration for connection draining. For now the draining timeout. May manage more settings in the future.
Properties:
Draining Timeout Sec:
Description: Draining timeout in seconds.
Format: int64
Type: integer
Type: object
Iap:
Description: IAPConfig contains configuration for IAP-enabled backends.
Properties:
Enabled:
Type: boolean
Oauthclient Credentials:
Description: OAuthClientCredentials contains credentials for a single IAP-enabled backend.
Properties:
Client ID:
Description: Direct reference to OAuth client id.
Type: string
Client Secret:
Description: Direct reference to OAuth client secret.
Type: string
Secret Name:
Description: The name of a k8s secret which stores the OAuth client id & secret.
Type: string
Required:
secretName
Type: object
Required:
enabled
oauthclientCredentials
Type: object
Security Policy:
Type: object
Session Affinity:
Description: SessionAffinityConfig contains configuration for stickyness parameters.
Properties:
Affinity Cookie Ttl Sec:
Format: int64
Type: integer
Affinity Type:
Type: string
Type: object
Timeout Sec:
Format: int64
Type: integer
Type: object
Status:
Type: object
Version: v1beta1
Versions:
Name: v1beta1
Served: true
Storage: true
Status:
Accepted Names:
Kind: BackendConfig
List Kind: BackendConfigList
Plural: backendconfigs
Singular: backendconfig
Conditions:
Last Transition Time: 2020-01-09T15:37:27Z
Message: no conflicts found
Reason: NoConflicts
Status: True
Type: NamesAccepted
Last Transition Time: <nil>
Message: the initial names have been accepted
Reason: InitialNamesAccepted
Status: True
Type: Established
Stored Versions:
v1beta1
Events: <none>
Name:backendconfigs.cloud.google.com
名称空间:
标签:
注释:
API版本:apiextensions.k8s.io/v1beta1
种类:CustomResourceDefinition
元数据:
创建时间戳:2020-01-09T15:37:27Z
世代:1
资源版本:198
自链接:/api/apiextensions.k8s.io/v1beta1/customresourcedefinitions/backendconfigs.cloud.google.com
UID:f0bc780a-32f5-11ea-b7bd-42010aa40111
规格:
转换:
策略:无
群组:cloud.google.com
姓名:
种类:BackendConfig
列表种类:BackendConfigList
复数:backendconfigs
单数:backendconfig
作用域:命名空间
验证:
打开APIV 3模式:
特性:
API版本:
描述:APIVersion定义对象表示的版本化架构。服务器应将已识别的架构转换为最新的内部值,并可能拒绝未识别的值。更多信息:https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
类型:字符串
种类:
描述:种类是一个字符串值,表示此对象表示的REST资源。服务器可以从客户端向其提交请求的端点推断出这一点。无法更新。在这种情况下。更多信息:https://git.k8s.io/community/contributors/devel/api-conventions.md#types-种类
类型:字符串
元数据:
类型:对象
规格:
描述:BackendConfigSpec是BackendConfig资源的规范
特性:
Cdn:
描述:CDN配置包含启用CDN的后端的配置。
特性:
缓存策略:
描述:CacheKeyPolicy包含如何缓存对启用CDN的后端的请求的配置。
特性:
包括主机:
描述:如果为true,则对不同主机的请求将分别缓存。
类型:布尔型
包括协议:
描述:如果为true,http和https请求将分别缓存。
类型:布尔型
包含查询字符串:
描述:如果为true,则根据QueryStringBlacklist和QueryStringWhitelist,查询字符串参数包含在缓存密钥中。如果两者都未设置,则包含整个查询字符串,如果为false,则排除整个查询字符串。
类型:布尔型
查询字符串黑名单:
描述:要从缓存键中排除的查询strint参数的名称。包括所有其他参数。指定QueryStringBlacklist或QueryStringWhitelist,但不能同时指定两者。
项目:
类型:字符串
类型:数组
查询字符串白名单:
描述:要包含在缓存键中的查询字符串参数的名称。排除所有其他参数。指定QueryStringBlacklist或QueryStringWhitelist,但不能同时指定两者。
项目:
类型:字符串
类型:数组
类型:对象
启用:
类型:布尔型
必修的:
启用
类型:对象
连接排水:
描述:ConnectionDrainingConfig包含连接排水的配置。目前,排水超时。将来可能会管理更多设置。
特性:
排水超时秒:
描述:以秒为单位的排空超时。
格式:int64
类型:整数
类型:对象
Iap:
描述:IAPConfig包含启用IAP的后端的配置。
特性:
启用:
类型:布尔型
Oauthclient凭据:
描述:OAuthClientCredentials包含单个启用IAP的后端的凭据。
特性:
客户端ID:
描述:直接引用OAuth客户端id。
类型:字符串
客户机密:
描述:直接引用OAuth客户端机密。
类型:字符串
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backendconfig-role
rules:
- apiGroups: ["cloud.google.com"]
resources: ["backendconfigs"]
verbs: ["get", "watch", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backendconfig-rolebinding
subjects:
- kind: ServiceAccount
name: example-sa
namespace: example-namespace
roleRef:
kind: ClusterRole
name: backendconfig-role
apiGroup: rbac.authorization.k8s.io
kubectl auth can-i get backendconfigs --as=system:serviceaccount:example-namespace:example-sa -n example-namespace