本页面介绍了如何为 Binary Authorization 授予与当前项目不同的 Google Cloud 项目中的政策和容器映像的访问权限。例如,如果您在不同项目拥有的 Artifact Registry 或 Container Registry(已弃用)制品库的 Google Kubernetes Engine (GKE) 集群中部署映像,则需要为项目中的 Binary Authorization 服务授予来源制品库中的映像元数据的访问权限。
术语
本文档使用以下术语:
- 服务代理: Google Cloud管理的服务账号。Binary Authorization 使用服务代理与 Google Cloud资源(如 GKE 集群)进行交互。
- 政策项目:包含 Binary Authorization 政策的 Google Cloud 项目。
- 集群项目:包含 GKE 集群的 Google Cloud 项目。
- 制品项目:包含 Artifact Registry 或 Container Registry(已弃用)制品库的 Google Cloud 项目。
需要跨项目访问的场景
在以下情况下,您必须授予跨项目权限:
- 政策项目与集群项目不同。
- 集群项目与工件项目不同。
准备工作
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
POLICY_PROJECT_ID:包含政策的项目的 ID。CLUSTER_PROJECT_ID:集群的项目 ID。ARTIFACT_PROJECT_ID:包含 Artifact Registry 制品库的项目的 ID。CLUSTER_PROJECT_ID:运行 GKE 集群的项目的 ID。
与政策项目不同的集群项目
为集群项目中的 Binary Authorization 服务代理授予政策项目的 Binary Authorization Policy Evaluator (roles/binaryauthorization.policyEvaluator) 角色。
gcloud projects add-iam-policy-bindingPOLICY_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/binaryauthorization.policyEvaluator
请替换以下内容:
与工件项目不同的集群项目
为集群项目中的 Binary Authorization 服务代理授予工件项目的 Artifact Registry Reader (roles/artifactregistry.reader) 角色。
gcloud projects add-iam-policy-bindingARTIFACT_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/artifactregistry.reader
请替换以下内容: