如果 Google Kubernetes Engine (GKE) 工作負載 Pod 無法使用已掛接的憑證部署,請使用下列指令檢查 Pod 狀態:
kubectl describe pod POD_NAME -n POD_NAMESPACE
權限相關錯誤
本節說明與權限錯誤相關的錯誤。
核發憑證時遭拒:無法從 GKE Auth 核發憑證
這類錯誤訊息如下所示:
Permission denied while issuing the certificate: failed to issue the certificate from the GKE Auth: rpc error: code = PermissionDenied desc = Permission 'privateca.certificates.createForSelf' denied on 'projects/PROJECT_NUMBER/locations/REGION/caPools/ CA_POOL_ID'
發生這項錯誤的原因是工作負載身分集區缺少從屬 CA 集區的
CA Service Workload Certificate Requester角色 (roles/privateca.workloadCertificateRequester)。
MountVolume.SetUp failed for volume "fleet-spiffe-credentials" : rpc error: code = Internal desc = unable to mount volume: while creating volume: while loading trust bundles: rpc error: code = Internal desc = while getting trust map from the trustBundleWatcher: rpc error: code = Internal desc = no GKEClusterTrustBundle objects found with fleet WIP nickname fleet-project/svc.id.goog
發生這項錯誤的原因是,工作負載身分集區在下層 CA 集區中缺少 Private CA 集區讀取者角色 (roles/privateca.poolReader)。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-01 (世界標準時間)。"],[],[],null,["# Troubleshoot managed workload identity authentication for GKE\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the\n| General Service Terms section of the\n| [Service Specific Terms](/terms/service-terms#1).\n| Pre-GA features are available \"as is\" and might have limited support. For more\n| information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes resolutions for common [managed workload identities](/iam/docs/managed-workload-identity)\nerrors.\n\nYou can check the status of a Pod by running the following command: \n\n kubectl describe pod\n\nPod fails to be deployed with certificates\n------------------------------------------\n\nIf the Google Kubernetes Engine (GKE) workload Pod has failed to be deployed with\nthe mounted certificates, use the following command to check the Pod status: \n\n```\nkubectl describe pod POD_NAME -n POD_NAMESPACE\n```\n\nPermissions-related errors\n--------------------------\n\nThis section describes errors related to incorrect permissions.\n\n### Permission denied while issuing the certificate: failed to issue the certificate from the GKE Auth\n\nThis error looks similar to the following: \n\n Permission denied while issuing the certificate: failed to issue the certificate from the GKE Auth: rpc error: code = PermissionDenied desc = Permission 'privateca.certificates.createForSelf' denied on 'projects/\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e/caPools/\u003cvar translate=\"no\"\u003e CA_POOL_ID\u003c/var\u003e'\n\nThe error occurred because the workload identity pool is missing the\n`CA Service Workload Certificate Requester` role (`roles/privateca.workloadCertificateRequester`)\non the subordinate CA pool.\n\nTo resolve this error, grant the role to the pool: \n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eSUBORDINATE_CA_POOL_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003eCA_POOL_PROJECT_ID\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --role=roles/privateca.workloadCertificateRequester \\\n --member=\"principal://iam.googleapis.com/projects/\u003cvar translate=\"no\"\u003eCA_POOL_PROJECT_NUMBER\u003c/var\u003e/name/locations/global/workloadIdentityPools/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSUBORDINATE_CA_POOL_ID\u003c/var\u003e: the subordinate CA pool ID\n- \u003cvar translate=\"no\"\u003eCA_POOL_PROJECT_ID\u003c/var\u003e: the project ID of the root CA pool\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the subordinate CA region\n- \u003cvar translate=\"no\"\u003eCA_POOL_PROJECT_NUMBER\u003c/var\u003e: the CA pool project number\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the workload identity pool project ID\n\n### MountVolume.SetUp failed for volume\n\nThis error looks similar to the following: \n\n MountVolume.SetUp failed for volume \"fleet-spiffe-credentials\" : rpc error: code = Internal desc = unable to mount volume: while creating volume: while loading trust bundles: rpc error: code = Internal desc = while getting trust map from the trustBundleWatcher: rpc error: code = Internal desc = no GKEClusterTrustBundle objects found with fleet WIP nickname fleet-project/svc.id.goog\n\nThis error occurred because the workload identity pool is missing the\nPrivate CA Pool Reader role (`roles/privateca.poolReader`) on the subordinate\nCA pool.\n\nTo resolve this error, grant the role to the pool and wait a few minutes for the\ntrust bundles to be loaded: \n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eSUBORDINATE_CA_POOL_ID\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --role=roles/privateca.poolReader \\\n --member=\"principal://iam.googleapis.com/projects/\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e/name/locations/global/workloadIdentityPools/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSUBORDINATE_CA_POOL_ID\u003c/var\u003e: the subordinate CA pool ID\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the subordinate CA region\n- \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: the workload identity pool project number\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the workload identity pool project ID\n\nYou can use the following command to check the existence of the trust bundles: \n\n kubectl get gkeclustertrustbundle\n\nWhen the trust bundles are loaded, the response looks like the following: \n\n NAME AGE\n svc.id.goog-\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog 5m35s\n\nIn the output, \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is the project ID of the\nfleet that your trust root is associated with.\n\nCertificate errors\n------------------\n\nThe errors in this section are related to certificate configuration.\n\nSeveral errors can occur if managed workload identity certificates aren't\ngenerated. To check for the existence of these certificates on Pod-mounted\nvolumes, do the following:\n\n1. Connect to the pod.\n\n # Open the pod sh interface\n kubectl exec -it $pod_name -n $pod_namespace -- sh\n\n2. List and inspect the credential files.\n\n # Look up the volume contents:\n ls -la /var/run/secrets/workload-spiffe-credentials\n cat /var/run/secrets/workload-spiffe-credentials/certificates.pem\n cat /var/run/secrets/workload-spiffe-credentials/ca_certificates.pem\n cat /var/run/secrets/workload-spiffe-credentials/private_key.pem\n cat /var/run/secrets/workload-spiffe-credentials/trust_bundles.json\n\nYou can also inspect a Pod's certificate provision status by inspecting\n`k8s_container` logs for the \\`gke-metadata-server container through the\nGoogle Cloud console.\n\n### Failed precondition while issuing the certificate\n\nThe Pod description can include the following message: \n\n Failed precondition while issuing the certificate: failed to issue the certificate from the GKE Auth: rpc error: code = FailedPrecondition\n\nThis error occurred because the workload identity pool wasn't configured with a\ncertificate issuance configuration (CIC).\n\nTo resolve this error, [create a CIC](/iam/docs/create-managed-workload-identities-gke#create-certificate-issuance-config)\nand use it to [update the workload identity pool](/iam/docs/create-managed-workload-identities-gke#update-pool-cas)."]]
