在 GKE 中配置跨项目访问

本页面介绍了如何为 Binary Authorization 授予与当前项目不同的 Google Cloud 项目中的政策和容器映像的访问权限。例如,如果您在不同项目拥有的 Artifact Registry 或 Container Registry(已弃用)制品库的 Google Kubernetes Engine (GKE) 集群中部署映像,则需要为项目中的 Binary Authorization 服务授予来源制品库中的映像元数据的访问权限。

术语

本文档使用以下术语:

  • 服务代理: Google Cloud管理的服务账号。Binary Authorization 使用服务代理与 Google Cloud资源(如 GKE 集群)进行交互。
  • 政策项目:包含 Binary Authorization 政策的 Google Cloud 项目。
  • 集群项目:包含 GKE 集群的 Google Cloud 项目。
  • 制品项目:包含 Artifact Registry 或 Container Registry(已弃用)制品库的 Google Cloud 项目。

需要跨项目访问的场景

在以下情况下,您必须授予跨项目权限:

  • 政策项目与集群项目不同。
  • 集群项目与工件项目不同。

准备工作

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command: 

    gcloud init

  5. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Binary Authorization API: 

    gcloud services enable binaryauthorization.googleapis.com

  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command: 

    gcloud init

  11. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Verify that billing is enabled for your Google Cloud project.

  13. Enable the Binary Authorization API: 

    gcloud services enable binaryauthorization.googleapis.com

与政策项目不同的集群项目

为集群项目中的 Binary Authorization 服务代理授予政策项目的 Binary Authorization Policy Evaluator (roles/binaryauthorization.policyEvaluator) 角色。

gcloud projects add-iam-policy-binding POLICY_PROJECT_ID \
  --member="serviceAccount:service-$(gcloud projects describe CLUSTER_PROJECT_ID --format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \
  --role=roles/binaryauthorization.policyEvaluator

请替换以下内容:

  • POLICY_PROJECT_ID:包含政策的项目的 ID。
  • CLUSTER_PROJECT_ID:集群的项目 ID。

与工件项目不同的集群项目

为集群项目中的 Binary Authorization 服务代理授予工件项目的 Artifact Registry Reader (roles/artifactregistry.reader) 角色。

gcloud projects add-iam-policy-binding ARTIFACT_PROJECT_ID \
    --member="serviceAccount:service-$(gcloud projects describe CLUSTER_PROJECT_ID --format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \
    --role=roles/artifactregistry.reader

请替换以下内容:

  • ARTIFACT_PROJECT_ID:包含 Artifact Registry 制品库的项目的 ID。
  • CLUSTER_PROJECT_ID:运行 GKE 集群的项目的 ID。