Home > Blockchain >  Pods in GKE return "error looking up service account" - how to correctly use a GCP service
Pods in GKE return "error looking up service account" - how to correctly use a GCP service

Time:11-02

I have created a GKE Service Account.

I have been trying to use it within GKE, but I get the error:

pods "servicepod" is forbidden: error looking up service account service/serviceaccount: serviceaccount "serviceaccount" not found

I have followed the setup guide in this documentation.

1.Created a GCP Service Account called "serviceaccount"

2.I created, and downloaded the JSON key as key.json.

3.kubectl create secret generic serviceaccountkey --from-file key.json -n service

4.Added the following items to my deployment:

    spec:
      volumes:
      - name: serviceaccountkey
        secret:
          secretName: serviceaccountkey
      containers:
        volumeMounts:
        - name: serviceaccountkey
          mountPath: /var/secrets/google
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /var/secrets/google/key.json

When I deploy this out, I get: pods "service-7cdbcc67b9-" is forbidden: error looking up service account service/serviceaccount: serviceaccount "serviceaccount" not found

I'm not sure what else to do to get this working, I've followed the guide and can't see anything that's been missed.

Any help on this would be greatly appreciated!

CodePudding user response:

One of the reasons for getting this error can be if you have created a service account in one namespace and trying to use that service account only for another namespace.

We can resolve this error by rolebinding the service account with a new namespace. If the existing service account is in default namespace then you can use this YAML file with the new namespace for rolebinding.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: 
  name: kubernetes-enforce-default 
  namespace: <new-namespace>
roleRef: 
  apiGroup: rbac.authorization.k8s.io 
  kind: ClusterRole
  name: kubernetes-enforce 
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system

Refer to this similar issue for more information.

CodePudding user response:

This was fixed by using Workload Identity to bind the K8s Service account to the GCP IAM service account:

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Page link:https//www.codepudding.com/Blockchain/175582.html

Prev:Kafka service not running in Kubernetes
Next:Axios API calls are not working after deploying the web application on Heroku - MERN Application
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding