本頁面說明如何授權 Binary Authorization 存取與目前專案不同的 Google Cloud 專案中的政策和容器映像檔。舉例來說,如果您從其他專案擁有的 Artifact Registry 或 Container Registry (已淘汰) 存放區,在 Google Kubernetes Engine (GKE) 叢集中部署映像檔,則必須授予專案中的二進位授權服務存取權,才能存取來源存放區中的映像檔中繼資料。
術語
本文使用下列術語:
- 服務代理: 由 Google Cloud管理的服務帳戶。二進位授權會使用服務代理程式與 Google Cloud資源 (例如 GKE 叢集) 互動。
- 政策專案: 包含二進位授權政策的 Google Cloud 專案。
- 叢集專案: 含有 GKE 叢集的 Google Cloud 專案。
- 構件專案: 包含 Artifact Registry 或 Container Registry (已淘汰) 存放區的專案。 Google Cloud
需要跨專案存取權的情境
在下列情況中,您必須授予跨專案權限:
- 政策專案與叢集專案不同。
- 叢集專案與構件專案不同。
事前準備
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI。
-
執行下列指令,初始化 gcloud CLI:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
-
Install the Google Cloud CLI.
-
若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI。
-
執行下列指令,初始化 gcloud CLI:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
POLICY_PROJECT_ID:包含政策的專案 ID。CLUSTER_PROJECT_ID:叢集的專案 ID。ARTIFACT_PROJECT_ID:包含 Artifact Registry 存放區的專案 ID。CLUSTER_PROJECT_ID:執行 GKE 叢集的專案 ID。
叢集專案與政策專案不同
在政策專案中,將二進位授權政策評估者 (roles/binaryauthorization.policyEvaluator) 角色授予叢集專案中的二進位授權服務代理程式。
gcloud projects add-iam-policy-bindingPOLICY_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/binaryauthorization.policyEvaluator
請替換下列項目:
叢集專案與構件專案不同
在構件專案中,將 Artifact Registry 讀取者 (roles/artifactregistry.reader) 角色授予叢集專案中的二進位授權服務代理程式。
gcloud projects add-iam-policy-bindingARTIFACT_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/artifactregistry.reader
請替換下列項目: