本文档介绍了如何为 Google Distributed Cloud on Bare Metal(纯软件)设置和使用集群“无密钥模式”功能。无密钥模式使用短期令牌和工作负载身份联合来创建集群并确保其安全,而不是使用服务账号密钥。服务账号的短期有效凭据采用 OAuth 2.0 访问令牌的形式。默认情况下,访问令牌会在 1 小时后过期,但图片拉取令牌会在 12 小时后过期。
无钥匙模式仅适用于 1.30 版及更高版本的集群。
相比之下,“密钥模式”是用于创建和保护集群的标准方法,它使用下载的服务账号密钥。创建自行管理(管理员、混合或独立)集群时,您需要指定所下载密钥的路径。然后,密钥会以 Secret 的形式存储在集群和任何受管理的用户集群中。默认情况下,服务账号密钥永不过期,但如果未正确管理,则会带来安全风险。
与使用服务账号密钥相比,无密钥模式有以下两个主要优势:
提高安全性:如果服务账号密钥管理不当,则会带来安全风险。OAuth 2.0 令牌和工作负载身份联合被视为服务账号密钥的最佳实践替代方案。如需详细了解服务账号令牌,请参阅短期有效的服务账号凭据。如需详细了解工作负载身份联合,请参阅工作负载身份联合。
减少维护工作:服务账号密钥需要更多维护工作。定期轮替和保护这些密钥可能会带来巨大的管理负担。
准备工作
在以下部分中,您将创建服务账号并授予无密钥模式所需的角色。本文档中的设置说明并不能取代设置 Google Cloud 资源中的说明,而是在标准 Google Distributed Cloud(纯软件)安装前提条件之外额外需要执行的操作。无密钥模式所需的服务账号与设置 Google Cloud 资源中所述的服务账号类似,但它们具有唯一的名称,因此不会干扰使用默认服务账号密钥的集群。
本页面适用于负责设置、监控和管理底层技术基础架构生命周期的管理员、架构师和运维人员。如需详细了解我们在 Google Cloud 内容中提及的常见角色和示例任务,请参阅常见的 GKE Enterprise 用户角色和任务。
下表介绍了无密钥模式所需的服务账号:
| 服务账号 | 用途 | 角色 |
|---|---|---|
ADMIN_SA |
您可以使用此服务账号生成令牌。每个令牌都具有与服务账号角色相关联的特权。 |
roles/gkehub.adminroles/logging.adminroles/monitoring.adminroles/monitoring.dashboardEditorroles/iam.serviceAccountAdminroles/iam.serviceAccountTokenCreator
|
baremetal-controller |
Connect Agent 使用此服务账号来维护集群与 Google Cloud 之间的连接,并向舰队注册集群。此服务账号还会为 baremetal-gcr 服务账号刷新令牌。 |
roles/gkehub.adminroles/monitoring.dashboardEditorroles/serviceusage.serviceUsageViewer
|
baremetal-cloud-ops |
Stackdriver Agent 使用此服务账号将日志和指标从集群导出到 Cloud Logging 和 Cloud Monitoring。 |
roles/logging.logWriterroles/monitoring.metricWriterroles/stackdriver.resourceMetadata.writerroles/opsconfigmonitoring.resourceMetadata.writerroles/monitoring.dashboardEditorroles/monitoring.viewerroles/serviceusage.serviceUsageViewerroles/kubernetesmetadata.publisher
|
baremetal-gcr |
Google Distributed Cloud 使用此服务账号从 Container Registry 下载容器映像。 | 无 |
为无密钥模式创建和配置服务账号
以下部分包含有关如何创建所需的服务账号以及向其授予无密钥模式所需角色的说明。如需查看服务账号及其所需角色的列表,请参阅上一部分中的表格。
创建服务账号
如需为无钥匙模式创建服务账号,请按以下步骤操作:
在管理员工作站上,登录 Google Cloud CLI:
gcloud auth login(可选)创建管理服务账号:
ADMIN_SA服务账号的名称可以任意指定。如果现有服务账号具有上一部分表格中所述的角色,您甚至可以使用该服务账号,但不建议这样做,因为这违反了最小权限原则。gcloud iam service-accounts create ADMIN_SA \ --project=PROJECT_ID将
PROJECT_ID替换为您的 Google Cloud 项目的 ID。为无密钥功能创建标准服务账号:
无密钥功能的标准服务账号具有预先确定的名称,如果需要,可以自定义。
gcloud iam service-accounts create baremetal-controller \ --project=PROJECT_ID gcloud iam service-accounts create baremetal-cloud-ops \ --project=PROJECT_ID gcloud iam service-accounts create baremetal-gcr \ --project=PROJECT_ID将
PROJECT_ID替换为您的 Google Cloud 项目的 ID。
为服务账号添加 Identity and Access Management 政策绑定
为
ADMIN_SA服务账号添加所需角色的 IAM 政策绑定:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/gkehub.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/logging.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountAdmin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator为
baremetal-controller服务账号添加所需角色的 IAM 政策绑定:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/gkehub.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/serviceusage.serviceUsageViewer为
baremetal-cloud-ops服务账号添加所需角色的 IAM 政策绑定:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/logging.logWriter gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.dashboardEditor gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.metricWriter gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/opsconfigmonitoring.resourceMetadata.writer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/stackdriver.resourceMetadata.writer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/monitoring.viewer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/serviceusage.serviceUsageViewer gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/kubernetesmetadata.publisher向
baremetal-controller服务账号授予代表baremetal-gcr服务账号生成访问令牌的权限:gcloud iam service-accounts add-iam-policy-binding \ baremetal-gcr@PROJECT_ID.iam.gserviceaccount.com \ --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
为集群配置工作负载身份联合
如需使用 Workload Identity Federation for GKE 提供 Google Cloud 访问权限,您需要创建 IAM 允许政策,向与应用身份对应的主账号授予对特定 Google Cloud 资源的访问权限。在这种情况下,工作负载身份联合会授予对集群中特定操作员的访问权限。如需详细了解 Workload Identity Federation for GKE,请参阅 IAM 文档中的工作负载身份联合。
为集群运维人员添加 IAM 政策绑定
以下命令可授予 anthos-cluster-operator Kubernetes 服务账号模拟 baremetal-controller 服务账号并代表集群与 Google Cloud 资源进行交互的权限:
对于每个无密钥集群(或计划中的无密钥集群),包括引导集群,请向集群中的
anthos-cluster-operator授予模拟baremetal-controller服务账号的权限:在以下命令中,
principalSet由工作负载身份池和kube-system命名空间中的 Kubernetes 服务账号anthos-cluster-operator组成。gcloud iam service-accounts add-iam-policy-binding \ baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/anthos-cluster-operator \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID替换以下内容:
PROJECT_NUM:系统自动为您的项目生成唯一标识符。REGION:集群的舰队成员资格位置,默认情况下为global。如需了解详情,请参阅舰队成员资格位置。CLUSTER_NAME:集群的名称。 默认情况下,引导集群名称为bmctl-MACHINE_NAME。
验证
baremetal-controller服务账号的政策绑定:gcloud iam service-accounts get-iam-policy \ baremetal-controller@PROJECT_ID.iam.gserviceaccount.com响应应类似如下所示:
bindings: - members: - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/anthos-cluster-operator - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/anthos-cluster-operator - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/anthos-cluster-operator role: roles/iam.workloadIdentityUser etag: BwYoN3QLig0= version: 1
为 Google Cloud Observability 运维人员添加 IAM 政策绑定
以下命令会向以下 Google Cloud Observability Kubernetes 服务账号授予模拟 baremetal-cloud-ops 服务账号并代表集群与 Google Cloud 资源进行交互的权限:
cloud-audit-logginggke-metrics-agentkubestore-collectormetadata-agentstackdriver-log-forwarder
对于每个无密钥集群(或计划中的无密钥集群),包括引导集群,请向集群中的 Google Cloud Observability 运维人员授予模拟
baremetal-cloud-ops服务账号的权限:在以下各个命令中,
principalSet由工作负载身份池和kube-system命名空间中的 Kubernetes 服务账号(例如cloud-audit-logging)组成。gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/cloud-audit-logging \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/gke-metrics-agent \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/kubestore-collector \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/metadata-agent \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID gcloud iam service-accounts add-iam-policy-binding \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \ --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/stackdriver-log-forwarder \ --role=roles/iam.workloadIdentityUser \ --project=PROJECT_ID验证
baremetal-cloud-ops服务账号的政策绑定:gcloud iam service-accounts get-iam-policy \ baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com响应应类似如下所示:
bindings: - members: - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/stackdriver-log-forwarder - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/stackdriver-log-forwarder - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/cloud-audit-logging - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/gke-metrics-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/kubestore-collector - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/metadata-agent - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/stackdriver-log-forwarder role: roles/iam.workloadIdentityUser etag: BwYhT4gL-dY= version: 1
集群配置
对于使用无密钥模式的集群,最明显的集群配置差异在于,您无需指定下载的服务账号密钥的路径。
在配置文件中填写集群设置时,请将凭据部分中的服务账号密钥路径留空,如以下示例所示:
gcrKeyPath: sshPrivateKeyPath: /home/USERNAME/.ssh/id_rsa gkeConnectAgentServiceAccountKeyPath: gkeConnectRegisterServiceAccountKeyPath: cloudOperationsServiceAccountKeyPath: --- apiVersion: v1 kind: Namespace metadata: name: cluster-CLUSTER_NAME --- apiVersion: baremetal.cluster.gke.io/v1 kind: Cluster metadata: name: CLUSTER_NAME namespace: cluster-CLUSTER_NAME spec: type: admin profile: default anthosBareMetalVersion: 1.30.0-gke.1930 ...(可选)为无密钥模式服务账号设置自定义名称:
通过指定自定义名称,您可以使用现有服务账号。通过为多个服务账号指定相同的自定义名称,您可以合并成更少的服务账号。
apiVersion: baremetal.cluster.gke.io/v1 kind: Cluster metadata: name: CLUSTER_NAME namespace: cluster-CLUSTER_NAME annotations: baremetal.cluster.gke.io/controller-service-account: "CUSTOM_CONTROLLER_GSA" baremetal.cluster.gke.io/cloud-ops-service-account: "CUSTOM_CLOUD_OPS_GSA" baremetal.cluster.gke.io/gcr-service-account: "CUSTOM_GCR_GSA" spec: type: admin profile: default anthosBareMetalVersion: 1.30.0-gke.1930 ...
集群操作
准备好创建、升级或删除无钥匙模式集群后,请按以下步骤操作:
登录 Google Cloud CLI:
gcloud auth login在管理员工作站上,为
ADMIN_SA服务账号创建并下载密钥:gcloud iam service-accounts keys create TMP_KEY_FILE_PATH \ --iam-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com将
TMP_KEY_FILE_PATH替换为所下载密钥文件的路径(包括文件名)。使用
ADMIN_SA服务账号授予对 Google Cloud 的访问权限:gcloud auth activate-service-account ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \ --key-file=TMP_KEY_FILE_PATH删除下载的 JSON 密钥文件:
rm TMP_KEY_FILE_PATH在管理员工作站上,创建一个
GCP_ACCESS_TOKEN环境变量,并将其值设为由ADMIN_SA服务账号创建的访问令牌:export GCP_ACCESS_TOKEN=$(gcloud auth print-access-token \ --impersonate-service-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)默认情况下,访问令牌的生命周期为 1 小时。
验证令牌是由
ADMIN_SA服务账号生成的,且过期时间正确:curl "https://oauth2.googleapis.com/tokeninfo?access_token=$GCP_ACCESS_TOKEN"响应应包含类似于以下内容的行:
... "expires_in": "3582", "email": "ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)", ...过期值以秒为单位,并且应小于
3600,表示令牌将在不到一个小时内过期。运行
bmctl命令以创建、升级或删除无密钥模式集群:如果
bmctl检测到已设置GCP_ACCESS_TOKEN环境变量,则会执行令牌验证。如果令牌有效,bmctl会将其用于无密钥模式集群操作。对于使用无密钥模式的集群,以下命令要求将
GCP_ACCESS_TOKEN环境变量设置为有效的有效访问令牌:bmctl create cluster -c CLUSTER_NAMEbmctl reset cluster -c CLUSTER_NAMEbmctl upgrade cluster -c CLUSTER_NAME
限制
在无密钥模式处于预览阶段期间,以下功能不支持在以无密钥模式运行的集群中使用:
- 使用代理服务器
- VPC Service Controls