我正在尝试编写 Terraform 代码来引导 Google Cloud 上的 GKE 集群(使用 RBAC)。GKE 集群已成功创建,但我还想创建一个服务帐户,以便以后可以重复用于kubernetes提供商配置。这意味着我需要kubernetes在我的子模块临时创建kubernetes_service_account其余 Terraform 代码所需的内容。
resource "google_container_cluster" "k8s_autopilot_cluster" { ... }
provider kubernetes {
alias = "k8s_gcloud_temp"
cluster_ca_certificate = base64decode(google_container_cluster.k8s_autopilot_cluster.master_auth.0.cluster_ca_certificate)
host = google_container_cluster.k8s_autopilot_cluster.endpoint
client_certificate = base64decode(google_container_cluster.k8s_autopilot_cluster.master_auth.0.client_certificate)
client_key = base64decode(google_container_cluster.k8s_autopilot_cluster.master_auth.0.client_key)
}
resource "kubernetes_service_account" "terraform_k8s_sa" {
provider = kubernetes.k8s_gcloud_temp
metadata {
namespace = "kube-system"
name = "terraform-k8s-sa"
}
automount_service_account_token = false
}
因此我的集群创建成功,但是我的创建kubernetes_service_account总是失败Error: serviceaccounts is forbidden: User "system:anonymous" cannot create resource "serviceaccounts" in API group "" in the namespace "kube-system"。
知道为什么我不能使用master_auth以及我应该用什么来代替吗?
答案1
data "google_client_config" "provider" {}
provider kubernetes {
alias = "k8s_gcloud_temp"
cluster_ca_certificate = base64decode(google_container_cluster.k8s_autopilot_cluster.master_auth.0.cluster_ca_certificate)
host = google_container_cluster.k8s_autopilot_cluster.endpoint
token = data.google_client_config.provider.access_token
}