cloud-sql-proxy: Container Engine Permission Errors
I have been having issues with the proxy on Container Engine. I have a Cloud SQL database setup using SSL and allowed ip of 0.0.0.0/0. I want to be able to connect to it with my containers via a service in Kubernetes. I don’t want to put a cloudsql-proxy in every one of my pods. Therefore, I believe I need to use the proxy with a TCP port instead of the UNIX socket. I have successfully created the service, secret, and replication controller, however the proxy is giving me the error:
the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credentials_file parameter
I have given it a credentials_file (the secret) and the service account has the Editor role assigned to it. I can run the proxy on my machine (OSX) with the credential file and it works perfectly. Below are my Kubernetes definitions:
Secret
apiVersion: v1
kind: Secret
metadata:
name: sqlcreds
type: Opaque
data:
file.json: "<base64encoded service key json file>"
Service
apiVersion: v1
kind: Service
metadata:
name: mysql
labels:
app: mysql
spec:
ports:
- port: 3306
selector:
app: mysql
role: proxy
Replication Controller
apiVersion: v1
kind: ReplicationController
metadata:
name: mysql-proxy
labels:
app: mysql
role: proxy
spec:
replicas: 1
template:
metadata:
labels:
app: mysql
role: proxy
spec:
volumes:
- name: secret-volume
secret:
secretName: sqlcreds
- name: ssl-certs
hostPath:
path: /etc/ssl/certs
containers:
- name: proxy
image: b.gcr.io/cloudsql-docker/gce-proxy
command: ["/cloud_sql_proxy", "-dir=/cloudsql", "-credential_file=/secret/file.json", "-instances=<redacted>=tcp:3306"]
ports:
- containerPort: 3306
volumeMounts:
- name: secret-volume
mountPath: /secret/
- name: ssl-certs
mountPath: /etc/ssl/certs
I don’t understand where I am going wrong here. I don’t quite understand the ‘/etc/ssl/certs’ directory, but I included it anyways. It seems to match your README however it is still getting the errors. I have read through the other issues here and there seems to be a couple of people reporting similar issues. Maybe the docker image hasn’t been updated with the latest code? It says it was modified on Apr 18th if that helps.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 22 (10 by maintainers)
Commits related to this issue
- Update README.md for clearer instructions - Only Second Generation is supported for CloudSQL Proxy - On GCE you need to target `b.gcr.io/cloudsql-docker/gce-proxy:1.05` because of this Issue: https:... — committed to frankvanrest/cloudsql-proxy by frankvanrest 8 years ago
- Merge pull request #35 from dazuma/imagemagick-policy Additional ImageMagick policy updates to mitigate vulnerabilities — committed to yosatak/cloud-sql-proxy by dazuma 8 years ago
Yup, you just do a
"-instances=<redacted>=tcp:0.0.0.0:3306"iirc.So I’ve been trying to launch the proxy image as its own Kubernetes deployment and interface with it via a service endpoint rather than having it run as a sidecar container (same thing @tutman96 was attempting), but it seems the proxy is listening on 127.0.0.1 which makes me unable to connect to it from outside of the pod and via the service. Is there a way to have it listen to 0.0.0.0?