如何在Golang中使用Kubernetes服务账户?

huangapple go评论86阅读模式
英文:

How to use kubernetes service account with golang?

问题

实际上,我主要在NodeJS中使用Kubernetes服务账户,这个方法很好用。但是我有一个用Go语言编写的服务,似乎无法与服务账户配合使用(我知道服务账户已经正确配置,因为我在一个Pod中进行了测试)。

我正在使用这个库:https://github.com/aws/aws-sdk-go

到目前为止,我尝试了以下两种方法:

第一种方法出现了以下错误:

AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/staging-worker-node/i-0xxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx:role/EKSServiceAccount-app

第二种方法出现了一个通用的权限错误。

我阅读了文档并尝试了一些其他方法(可能与此无关),但似乎无法使其工作,可能是因为我在使用Go语言方面经验不足。

英文:

Actually, I use kubernetes service accounts mostly with NodeJS, and this works fine, but I have this one service made in Go and I can't seem to make it work with service accounts (I know that the service account is correctly configured because I tested it with a pod).

I'm using this lib https://github.com/aws/aws-sdk-go

Up till now I tried this:

  sess := session.Must(session.NewSession())

  creds := stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN"))

  svc := s3.New(sess, &aws.Config{Credentials: creds})

And also this (just in case):

  region := os.Getenv("AMAZON_REGION")
  sess := session.Must(session.NewSession(&aws.Config{Region: &region}))

  svc := s3.New(sess)

for the first case I got the following error:

AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/staging-worker-node/i-0xxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx:role/EKSServiceAccount-app

and for the second case, I got a generic permission error.

I read the docs and tried a few things more (that may not be relevant here), but I can't see to make it work, maybe because I don't have much experience with golang.

答案1

得分: 1

有几个方法可以尝试使您的Go服务与Kubernetes上的服务账户配合工作:

  1. 确认您的Go服务已正确配置为使用Kubernetes服务账户。可以通过检查服务账户是否正确挂载为Pod定义中的卷,并且服务能够从该卷中读取凭据来完成此操作。

  2. 确保您正在使用的Go的AWS SDK(https://github.com/aws/aws-sdk-go)已配置为使用正确的凭据。该SDK支持多种方法来提供凭据,包括环境变量、共享凭据文件和IAM角色。

  3. 您可以尝试使用k8s.io/client-go库而不是Go的AWS SDK,这将帮助您使用Kubernetes服务账户对Kubernetes API进行身份验证,并获取AWS SDK所需的凭据。

  4. 如果您正在使用Kubernetes服务账户对外部服务(如AWS)进行身份验证,您可能还需要配置一个IAM角色,以允许服务账户访问所需的资源。

  5. 仔细检查您的Go服务是否正确使用Kubernetes服务账户令牌,并将其作为身份验证令牌传递给AWS SDK。

  6. 您还可以尝试使用k8s.io/client-go库获取密钥,并在您的Go代码中使用它。

英文:

There are a few things you can try to get your Go service to work with service accounts on Kubernetes:

Verify that your Go service is properly configured to use the Kubernetes service account. This can be done by checking that the service account is correctly mounted as a volume in the pod definition and that the service is able to read the credentials from the volume.

Make sure that the AWS SDK for Go you are using (https://github.com/aws/aws-sdk-go) is configured to use the correct credentials. The SDK supports several methods for providing credentials, including environment variables, shared credentials file, and IAM roles.

You can try using the k8s.io/client-go library instead of the AWS SDK for Go, this will help you to use the Kubernetes service account to authenticate with the Kubernetes API and obtain the required credentials for the AWS SDK.

If you are using the Kubernetes service account to authenticate with an external service such as AWS, you may also need to configure an IAM role that allows the service account to access the necessary resources.

Double check that your Go service is correctly using the Kubernetes service account token and is passing it along as an authentication token to the AWS SDK.

You can also try to use the k8s.io/client-go library to get the secret and use it in your go code.

huangapple
  • 本文由 发表于 2023年1月19日 02:19:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/75163622.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定