我正在尝试将 Docker 映像推送到 GCP Artifact Registry 并最终部署到 GKE。身份验证成功进行,但是,“获取凭据”步骤不断出现此错误:
Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/***/locations/***/clusters/***".
我已为我的 IAM 用户授予以下角色:
我的 GitHub 工作流程 yaml 文件:
name: Deploy to GKE
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Google Cloud CLI and SDK
uses: google-github-actions/[email protected]
with:
service_account_key: ${{ secrets.GCP_SA_KEY }}
project_id: ${{ secrets.GCP_PROJECT }}
- name: Configure Docker
run: |
gcloud --quiet auth configure-docker
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Get credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ secrets.GKE_CLUSTER }}
location: ${{ secrets.GKE_ZONE }}
- name: Build and push Docker images
run: |
docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/apigateway:latest ./ApiGateway
docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/likeservice:latest ./LikeService
and so on...
name: Apply Kubernetes manifests
run: |
kubectl apply -f K8S/mongo-config.yaml
kubectl apply -f K8S/mongo-secret.yaml
kubectl apply -f K8S/mongo-pv-storage.yaml
and so on...
GitHub Secrets 已添加到存储库中。
集群位于 us-central1-c 中,工件注册表位于 us-central1(爱荷华州)中。
这个问题如何解决?
如果您使用服务帐户来验证和访问 ACR 和 GKE 集群,您必须拥有以下角色/权限
ArtifactRegistry 存储库管理员(角色/artifactregistry.repoAdmin)
Kubernetes Engine 集群管理 (roles/container.clusterAdmin)