get-gke-credentials 失败:需要“container.clusters.get”权限

问题描述 投票:0回答:1

我正在尝试将 Docker 映像推送到 GCP Artifact Registry 并最终部署到 GKE。身份验证成功进行,但是,“获取凭据”步骤不断出现此错误:

Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/***/locations/***/clusters/***".

我已为我的 IAM 用户授予以下角色:

  • 容器分析管理员
  • 编辑器
  • Kubernetes 引擎管理员
  • Kubernetes Engine 集群管理
  • Kubernetes Engine 集群查看器
  • Kubernetes 引擎开发人员
  • 存储管理员

enter image description here

我的 GitHub 工作流程 yaml 文件:

name: Deploy to GKE

on:
push:
branches:
- main

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2

      - name: Set up Google Cloud CLI and SDK
        uses: google-github-actions/[email protected]
        with:
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          project_id: ${{ secrets.GCP_PROJECT }}
        
      - name: Configure Docker
        run: |
            gcloud --quiet auth configure-docker
    
      - name: Authenticate to GCP
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}
                  
      - name: Get credentials
        uses: google-github-actions/get-gke-credentials@v2
        with:
          cluster_name: ${{ secrets.GKE_CLUSTER }}
          location: ${{ secrets.GKE_ZONE }}
    
      - name: Build and push Docker images
        run: |
          docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/apigateway:latest ./ApiGateway
          docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/likeservice:latest ./LikeService

and so on...

name: Apply Kubernetes manifests
run: |
kubectl apply -f K8S/mongo-config.yaml
kubectl apply -f K8S/mongo-secret.yaml
kubectl apply -f K8S/mongo-pv-storage.yaml

and so on...

GitHub Secrets 已添加到存储库中。

集群位于 us-central1-c 中,工件注册表位于 us-central1(爱荷华州)中。

这个问题如何解决?

docker kubernetes google-cloud-platform github-actions google-kubernetes-engine
1个回答
0
投票

如果您使用服务帐户来验证和访问 ACR 和 GKE 集群,您必须拥有以下角色/权限

© www.soinside.com 2019 - 2024. All rights reserved.