Projektübergreifenden Zugriff in GKE konfigurieren
Mit Sammlungen den Überblick behalten
Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.
Auf dieser Seite erfahren Sie, wie Sie der Binärautorisierung Zugriff auf Richtlinien und Container-Images gewähren, die in anderen Google Cloud-Projekten als in Ihrem aktuellen Projekt vorhanden sind.
Wenn Sie beispielsweise Images in Ihrem Google Kubernetes Engine-Cluster (GKE) aus einem Artifact Registry-Repository oder einer Container Registry (verworfener Link) bereitstellen, das zu einem anderen Projekt gehört, müssen Sie dem Binärautorisierungsdienst in Ihrem Projekt Zugriff auf Image-Metadaten im Quell-Repository.
Terminologie
In diesem Dokument werden die folgenden Begriffe verwendet:
Dienst-Agent: Ein von Google Cloud verwaltetes Dienstkonto.
Die Binärautorisierung verwendet einen Dienst-Agent, um mit Ihren Google Cloud-Ressourcen wie GKE-Clustern zu interagieren.
Richtlinienprojekt: Das Google Cloud-Projekt, das Ihre Richtlinie für die Binärautorisierung enthält.
Clusterprojekt: Das Google Cloud-Projekt, das Ihren GKE-Cluster enthält.
Artefaktprojekt: Das Google Cloud-Projekt, das Ihr Artifact Registry- oder Container Registry-Repository (verworfen) enthält.
Szenarien, die einen projektübergreifenden Zugriff erfordern
In Situationen wie den folgenden müssen Sie projektübergreifende Berechtigungen erteilen:
Ihr Richtlinienprojekt unterscheidet sich von Ihrem Clusterprojekt.
Ihr Clusterprojekt unterscheidet sich von Ihrem Artefaktprojekt.
Hinweise
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
Clusterprojekt, das vom Richtlinienprojekt abweicht
Weisen Sie dem Dienst-Agent für die Binärautorisierung im Clusterprojekt die Rolle Evaluator für die Binärautorisierungsrichtlinie (roles/binaryauthorization.policyEvaluator) für das Richtlinienprojekt zu.
POLICY_PROJECT_ID: Die ID des Projekts, das Ihre Richtlinie enthält.
CLUSTER_PROJECT_ID: die Projekt-ID des Clusters.
Clusterprojekt, das sich vom Artefaktprojekt unterscheidet
Weisen Sie dem Dienst-Agent für die Binärautorisierung im Clusterprojekt die Rolle Artifact Registry-Leser (roles/artifactregistry.reader) für das Artefaktprojekt zu.
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],["Zuletzt aktualisiert: 2025-09-04 (UTC)."],[[["\u003cp\u003eThis document guides users on granting Binary Authorization access across different Google Cloud projects for policies and container images.\u003c/p\u003e\n"],["\u003cp\u003eCross-project access is required when the policy project, cluster project, and artifact project are not the same.\u003c/p\u003e\n"],["\u003cp\u003eThe Binary Authorization service agent in the cluster project needs the \u003ccode\u003eroles/binaryauthorization.policyEvaluator\u003c/code\u003e role on the policy project.\u003c/p\u003e\n"],["\u003cp\u003eThe Binary Authorization service agent in the cluster project needs the \u003ccode\u003eroles/artifactregistry.reader\u003c/code\u003e role on the artifact project.\u003c/p\u003e\n"],["\u003cp\u003eIf using Container Registry, the \u003ccode\u003eroles/storage.objectViewer\u003c/code\u003e role can be used instead, but migrating to Artifact Registry is recommended because Container Registry is deprecated.\u003c/p\u003e\n"]]],[],null,["# Configure cross-project access in GKE\n\nThis page shows you how to give Binary Authorization access to policies and container\nimages that exist in different Google Cloud projects than your current project.\nFor example, if you deploy images in your Google Kubernetes Engine (GKE) cluster\nfrom an Artifact Registry or Container Registry ([Deprecated](/container-registry/docs/deprecations/container-registry-deprecation))\nrepository that's owned by a different project, you'll need to give the\nBinary Authorization service in your project access to the image metadata in\nthe source repository.\n\nTerminology\n-----------\n\nThis document uses the following terms:\n\n- **Service agent:**A Google Cloud-managed service account. Binary Authorization uses a service agent to interact with your Google Cloud resources, like GKE clusters.\n- **Policy project:**The Google Cloud project that contains your Binary Authorization policy.\n- **Cluster project:**The Google Cloud project that contains your GKE cluster.\n- **Artifact project:** The Google Cloud project that contains your Artifact Registry or Container Registry ([Deprecated](/container-registry/docs/deprecations/container-registry-deprecation)) repository.\n\nScenarios that require cross-project access\n-------------------------------------------\n\nYou must grant cross-project permissions in situations like the following:\n\n- Your policy project is different than your cluster project.\n- Your cluster project is different than your artifact project.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Binary Authorization API:\n\n\n ```bash\n gcloud services enable binaryauthorization.googleapis.com\n ```\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Binary Authorization API:\n\n\n ```bash\n gcloud services enable binaryauthorization.googleapis.com\n ```\n\n\u003cbr /\u003e\n\nCluster project different than the policy project\n-------------------------------------------------\n\nGrant the Binary Authorization service agent in the cluster project the\n[Binary Authorization Policy Evaluator](/iam/docs/understanding-roles#binaryauthorization.policyEvaluator)\n(`roles/binaryauthorization.policyEvaluator`)\nrole on the policy project. \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-$(gcloud projects describe \u003cvar translate=\"no\"\u003eCLUSTER_PROJECT_ID\u003c/var\u003e --format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com\" \\\n --role=roles/binaryauthorization.policyEvaluator\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e: the ID of the project that contains your policy.\n- \u003cvar translate=\"no\"\u003eCLUSTER_PROJECT_ID\u003c/var\u003e: the project ID of the cluster.\n\n\u003cbr /\u003e\n\nCluster project different than the artifact project\n---------------------------------------------------\n\nGrant the Binary Authorization service agent in the cluster project the\n[Artifact Registry Reader](/iam/docs/understanding-roles#artifactregistry.reader)\n(`roles/artifactregistry.reader`) role on the artifact project. \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eARTIFACT_PROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:service-$(gcloud projects describe \u003cvar translate=\"no\"\u003eCLUSTER_PROJECT_ID\u003c/var\u003e --format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com\" \\\n --role=roles/artifactregistry.reader\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eARTIFACT_PROJECT_ID\u003c/var\u003e: the ID of the project that contains your Artifact Registry repository. **Note:** If you use Container Registry, you can use the [Storage Object Viewer](/iam/docs/understanding-roles#storage.objectViewer) (`roles/storage.objectViewer`) role, but we recommend that you migrate to Artifact Registry. Container Registry is deprecated. For migration instructions, see [Transition from Container Registry](/artifact-registry/docs/transition/transition-from-gcr).\n- \u003cvar translate=\"no\"\u003eCLUSTER_PROJECT_ID\u003c/var\u003e: the project ID that runs your GKE clusters.\n\n\u003cbr /\u003e"]]
