K
Q

Which service account are my pods running as by default?

1/3/2019

When I have created a cluster with some nodes on GKE, which user does Google interpret my requests as coming from? E.g. if I open a console on one of the nodes and do an API call to the Stackdriver API. Which user does the API think I am?

$ kubectl exec -it my-app bash
$ rails c
irb(main):005:0* Google::Cloud::ErrorReporting.report \
                 Exception.new(msg: "from console")
=> nil
irb(main):006:0> {:msg=>"from console"} (Exception)
Google::Cloud::PermissionDeniedError: 7:User not authorized.

I thought I was Compute Engine default service account, but that can't be right? I gave that service account the Owner role to test and it still fails.

Do I need to install gcloud on my Docker images on GKE so that I can authenticate as an service account with the correct roles before I start rails?

-- martins
google-cloud-stackdriver
google-kubernetes-engine
service-accounts

Similar Questions

What do metadata-agent health errors in GKE logs mean?
how to determinate best implementation of Kubernetes cluster
Assigning specific CPU resources to pod - kubernetes.io/limit-ranger: 'LimitRanger plugin set: cpu request for container elasticsearch'
Kubernetes NGINX ingress only ever returning default back end, not any of the other ingress rules set up

1 Answer

8/23/2019

I think your question is answered here: https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform

You need to use the json key for the service account you'd like to use to access the API as a secret in your GKE cluster.

-- Yuri Grinshteyn
Source: StackOverflow