Workload Identity 集群身份验证

本文档介绍了如何为 Google Distributed Cloud on Bare Metal(纯软件)设置和使用 Workload Identity Cluster Authentication。Workload Identity 集群身份验证使用短期令牌和 Workload Identity 联合来创建集群并确保其安全,而不是使用服务账号密钥。服务账号的短期有效凭据采用 OAuth 2.0 访问令牌的形式。默认情况下,访问令牌会在 1 小时后过期,但图片拉取令牌会在 12 小时后过期。

Workload Identity 集群身份验证仅适用于 1.30 版及更高版本的集群。

相比之下,“密钥模式”是用于创建和保护集群的标准方法,它使用下载的服务账号密钥。创建自行管理(管理员、混合或独立)集群时,您需要指定所下载密钥的路径。然后,密钥会以 Secret 的形式存储在集群和任何受管理的用户集群中。默认情况下,服务账号密钥永不过期,但如果未正确管理,则会带来安全风险。

与使用服务账号密钥相比,Workload Identity 集群身份验证有以下两个主要优势:

  • 提高安全性:如果服务账号密钥管理不当,则会带来安全风险。OAuth 2.0 令牌和工作负载身份联合被视为服务账号密钥的最佳实践替代方案。如需详细了解服务账号令牌,请参阅短期有效的服务账号凭据。如需详细了解工作负载身份联合,请参阅工作负载身份联合

  • 减少维护工作:服务账号密钥需要更多维护工作。定期轮替和保护这些密钥可能会带来巨大的管理负担。

此功能目前处于预览版阶段,存在一些已知限制

准备工作

在以下部分中,您将创建服务账号并授予工作负载身份集群身份验证所需的角色。本文档中的设置说明并不能取代设置 Google Cloud 资源中的说明,而是在标准 Google Distributed Cloud(纯软件)安装前提条件之外额外需要执行的操作。Workload Identity 集群身份验证所需的服务账号与设置 Google Cloud 资源中所述的服务账号类似,但它们具有唯一的名称,因此不会干扰使用默认服务账号密钥的集群。

本页面适用于负责设置、监控和管理底层技术基础架构生命周期的管理员、架构师和运维人员。如需详细了解我们在Google Cloud 内容中提及的常见角色和示例任务,请参阅常见的 GKE Enterprise 用户角色和任务

下表介绍了 Workload Identity 集群身份验证所需的服务账号:

服务账号 用途 角色
ADMIN_SA 您可以使用此服务账号生成令牌。每个令牌都具有与服务账号角色相关联的特权。 roles/gkehub.admin
roles/logging.admin
roles/monitoring.admin
roles/monitoring.dashboardEditor
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountTokenCreator
baremetal-controller Connect Agent 使用此服务账号来维护集群与 Google Cloud 之间的连接,并向 舰队注册集群。 此服务账号还会为 baremetal-gcr 服务账号刷新令牌。 roles/gkehub.admin
roles/monitoring.dashboardEditor
roles/serviceusage.serviceUsageViewer
baremetal-cloud-ops Stackdriver Agent 使用此服务账号将日志和指标从集群导出到 Cloud LoggingCloud Monitoring roles/logging.logWriter
roles/monitoring.metricWriter
roles/stackdriver.resourceMetadata.writer
roles/opsconfigmonitoring.resourceMetadata.writer
roles/monitoring.dashboardEditor
roles/monitoring.viewer
roles/serviceusage.serviceUsageViewer
roles/kubernetesmetadata.publisher
baremetal-gcr Google Distributed Cloud 使用此服务账号从 Container Registry 下载容器映像。

为 Workload Identity 集群身份验证创建和配置服务账号

以下部分包含有关如何创建所需的服务账号以及向其授予 Workload Identity 集群身份验证所需角色的说明。如需查看服务账号及其所需角色的列表,请参阅上一部分中的表格。

创建服务账号

如需为 Workload Identity 集群身份验证创建服务账号,请按以下步骤操作:

  1. 在管理员工作站上,登录 Google Cloud CLI:

    gcloud auth login
    
  2. (可选)创建管理服务账号:

    ADMIN_SA 服务账号的名称可以任意指定。如果现有服务账号具有上一部分表格中所述的角色,您甚至可以使用该服务账号,但不建议这样做,因为这违反了最小权限原则。

    gcloud iam service-accounts create ADMIN_SA \
        --project=PROJECT_ID
    

    PROJECT_ID 替换为您的Google Cloud 项目的 ID。

  3. 为 Workload Identity 集群身份验证创建标准服务账号:

    Workload Identity 集群身份验证的标准服务账号具有预先确定的名称,如果需要,可以自定义

    gcloud iam service-accounts create baremetal-controller \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create baremetal-cloud-ops \
        --project=PROJECT_ID
    
    gcloud iam service-accounts create baremetal-gcr \
        --project=PROJECT_ID
    

    PROJECT_ID 替换为您的Google Cloud 项目的 ID。

为服务账号添加 Identity and Access Management 政策绑定

  1. ADMIN_SA 服务账号添加所需角色的 IAM 政策绑定:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/gkehub.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/logging.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountAdmin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountTokenCreator
    
  2. baremetal-controller 服务账号添加所需角色的 IAM 政策绑定:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/gkehub.admin
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/serviceusage.serviceUsageViewer
    
  3. baremetal-cloud-ops 服务账号添加所需角色的 IAM 政策绑定:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/logging.logWriter
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.dashboardEditor
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.metricWriter
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/opsconfigmonitoring.resourceMetadata.writer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/stackdriver.resourceMetadata.writer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/monitoring.viewer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/serviceusage.serviceUsageViewer
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=serviceAccount:baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/kubernetesmetadata.publisher
    
  4. baremetal-controller 服务账号授予代表 baremetal-gcr 服务账号生成访问令牌的权限:

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-gcr@PROJECT_ID.iam.gserviceaccount.com \
        --member=serviceAccount:baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --role=roles/iam.serviceAccountTokenCreator
    

为集群配置工作负载身份联合

如需使用适用于 GKE 的工作负载身份联合提供 Google Cloud 访问权限,您需要创建 IAM 允许政策,向与应用身份对应的主账号授予对特定Google Cloud 资源的访问权限。在这种情况下,工作负载身份联合会授予对集群中特定操作员的访问权限。如需详细了解 Workload Identity Federation for GKE,请参阅 IAM 文档中的工作负载身份联合

为集群运维人员添加 IAM 政策绑定

以下命令可授予 anthos-cluster-operator Kubernetes 服务账号模拟 baremetal-controller 服务账号并代表集群与 Google Cloud 资源进行交互的权限:

  1. 对于配置为使用 Workload Identity 集群身份验证(或计划使用 Workload Identity 集群身份验证)的每个集群(包括引导集群),请向集群中的 anthos-cluster-operator 授予模拟 baremetal-controller 服务账号的权限:

    在以下命令中,principalSet 由工作负载身份池和 kube-system 命名空间中的 Kubernetes 服务账号 anthos-cluster-operator 组成。

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-controller@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/anthos-cluster-operator \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    

    替换以下内容:

  2. 验证 baremetal-controller 服务账号的政策绑定:

    gcloud iam service-accounts get-iam-policy \
        baremetal-controller@PROJECT_ID.iam.gserviceaccount.com
    

    响应应类似如下所示:

    bindings:
    - members:
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/anthos-cluster-operator
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/anthos-cluster-operator
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/anthos-cluster-operator
      role: roles/iam.workloadIdentityUser
    etag: BwYoN3QLig0=
    version: 1
    

为 Google Cloud Observability 运维人员添加 IAM 政策绑定

以下命令会向以下 Google Cloud Observability Kubernetes 服务账号授予模拟 baremetal-cloud-ops 服务账号并代表集群与 Google Cloud 资源进行交互的权限:

  • cloud-audit-logging
  • gke-metrics-agent
  • kubestore-collector
  • metadata-agent
  • stackdriver-log-forwarder
  1. 对于配置为使用 Workload Identity 集群身份验证(或计划使用 Workload Identity 集群身份验证)的每个集群(包括引导集群),请向集群中的 Google Cloud Observability 运维人员授予模拟 baremetal-cloud-ops 服务账号的权限:

    在以下各个命令中,principalSet 由工作负载身份池和 kube-system 命名空间中的 Kubernetes 服务账号(例如 cloud-audit-logging)组成。

    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/cloud-audit-logging \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/gke-metrics-agent \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/kubestore-collector \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/metadata-agent \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
    gcloud iam service-accounts add-iam-policy-binding \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com \
        --member=principalSet://iam.googleapis.com/projects/PROJECT_NUM/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/attribute.fleetclusteridentity/projects/PROJECT_ID/locations/REGION/memberships/CLUSTER_NAME/ns/kube-system/sa/stackdriver-log-forwarder \
        --role=roles/iam.workloadIdentityUser \
        --project=PROJECT_ID
    
  2. 验证 baremetal-cloud-ops 服务账号的政策绑定:

    gcloud iam service-accounts get-iam-policy \
        baremetal-cloud-ops@PROJECT_ID.iam.gserviceaccount.com
    

    响应应类似如下所示:

    bindings:
    - members:
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/bmctl-admin-ws/kube-system/stackdriver-log-forwarder
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/admin-cluster/kube-system/stackdriver-log-forwarder
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/cloud-audit-logging
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/gke-metrics-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/kubestore-collector
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/metadata-agent
      - principalSet://iam.googleapis.com/projects/112233445566/locations/global/workloadIdentityPools/my-project.svc.id.goog/attribute.fleetclusteridentity/user-cluster/kube-system/stackdriver-log-forwarder
      role: roles/iam.workloadIdentityUser
    etag: BwYhT4gL-dY=
    version: 1
    

集群配置

对于使用 Workload Identity 集群身份验证的集群,最明显的集群配置差异在于,您无需指定下载的服务账号密钥的路径。

  1. 在配置文件中填写集群设置时,请将凭据部分中的服务账号密钥路径留空,如以下示例所示:

    gcrKeyPath:
    sshPrivateKeyPath: /home/USERNAME/.ssh/id_rsa
    gkeConnectAgentServiceAccountKeyPath:
    gkeConnectRegisterServiceAccountKeyPath:
    cloudOperationsServiceAccountKeyPath:
    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      name: cluster-CLUSTER_NAME
    ---
    apiVersion: baremetal.cluster.gke.io/v1
    kind: Cluster
    metadata:
      name: CLUSTER_NAME
      namespace: cluster-CLUSTER_NAME
    spec:
      type: admin
      profile: default
      anthosBareMetalVersion: 1.30.0-gke.1930
      ...
    
  2. (可选)为 Workload Identity 集群身份验证服务账号设置自定义名称:

    通过指定自定义名称,您可以使用现有服务账号。通过为多个服务账号指定相同的自定义名称,您可以合并成更少的服务账号。

    apiVersion: baremetal.cluster.gke.io/v1
    kind: Cluster
    metadata:
      name: CLUSTER_NAME
      namespace: cluster-CLUSTER_NAME
      annotations:
        baremetal.cluster.gke.io/controller-service-account: "CUSTOM_CONTROLLER_GSA"
        baremetal.cluster.gke.io/cloud-ops-service-account: "CUSTOM_CLOUD_OPS_GSA"
        baremetal.cluster.gke.io/gcr-service-account: "CUSTOM_GCR_GSA"
    spec:
      type: admin
      profile: default
      anthosBareMetalVersion: 1.30.0-gke.1930
        ...
    

集群操作

准备好创建、升级或删除使用 Workload Identity 集群身份验证的集群后,请按以下步骤操作:

  1. 登录 Google Cloud CLI:

    gcloud auth login
    
  2. 在管理员工作站上,为 ADMIN_SA 服务账号创建并下载密钥:

    gcloud iam service-accounts keys create TMP_KEY_FILE_PATH \
        --iam-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com
    

    TMP_KEY_FILE_PATH 替换为所下载密钥文件的路径(包括文件名)。

  3. 使用 ADMIN_SA 服务账号授予对 Google Cloud 的访问权限:

    gcloud auth activate-service-account ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com \
        --key-file=TMP_KEY_FILE_PATH
    
  4. 删除下载的 JSON 密钥文件:

    rm TMP_KEY_FILE_PATH
    
  5. 在管理员工作站上,创建一个 GCP_ACCESS_TOKEN 环境变量,并将其值设为由 ADMIN_SA 服务账号创建的访问令牌:

    export GCP_ACCESS_TOKEN=$(gcloud auth print-access-token \
        --impersonate-service-account=ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)
    

    默认情况下,访问令牌的生命周期为 1 小时。

  6. 验证令牌是由 ADMIN_SA 服务账号生成的,且过期时间正确:

    curl "https://oauth2.googleapis.com/tokeninfo?access_token=$GCP_ACCESS_TOKEN"
    

    响应应包含类似于以下内容的行:

    ...
    "expires_in": "3582",
    "email": "ADMIN_SA@PROJECT_ID.iam.gserviceaccount.com)",
    ...
    

    过期值以秒为单位,并且应小于 3600,表示令牌将在不到一个小时内过期。

  7. 运行 bmctl 命令以创建、升级或删除集群:

    如果 bmctl 检测到已设置 GCP_ACCESS_TOKEN 环境变量,则会执行令牌验证。如果令牌有效,bmctl 会将其用于集群操作。

    对于使用 Workload Identity 集群身份验证的集群,以下命令要求将 GCP_ACCESS_TOKEN 环境变量设置为有效的有效访问令牌:

    • bmctl create cluster -c CLUSTER_NAME
    • bmctl reset cluster -c CLUSTER_NAME
    • bmctl upgrade cluster -c CLUSTER_NAME

限制

在 Workload Identity 集群身份验证处于预览版阶段期间,以下功能不受支持:

  • 使用代理服务器
  • VPC Service Controls

后续步骤