원격 Anthos 클러스터 지원

Google Cloud 외부에서 등록된 클러스터에 문제가 있고, 이를 직접 해결할 수 없으면 해당 문제를 파악하고 빠르게 해결할 수 있도록 해당 클러스터에 대해 읽기 전용 액세스 권한을 Google Cloud 지원팀에 부여해야 할 수 있습니다. 이 페이지에서는 Google Cloud 지원팀에 이 정보를 공유하는 방법을 설명합니다.

이 지원 흐름에서는 해당 지원 케이스에 맞게 전용 Google Cloud 서비스 계정이 설정되고 클러스터에 대해 읽기 전용 액세스 권한이 부여됩니다. 그런 후 지원팀은 이 서비스 계정을 사용해서 읽기 전용 명령을 실행하여 문제 해결에 도움이 되도록 포드를 나열하고, 컨테이너 이미지 가져오기 성공/실패를 확인하고, 노드 상태 검사 등을 수행할 수 있습니다. 지원팀은 클러스터를 변경할 수 없습니다.

시작하기 전에

  • 다음 명령줄 도구가 설치되었는지 확인합니다.
    • 액세스 사용 설정을 위해 486.0.0 최초 버전이 포함된 Google Cloud CLI. Google Cloud CLI를 설치해야 하는 경우 설치 가이드를 참조하세요.
    • Kubernetes 클러스터에 명령어를 실행하기 위한 kubectl. kubectl을 설치해야 하는 경우 설치 가이드를 참조하세요.
  • 프로젝트에서 사용할 수 있도록 gcloud CLI를 초기화했는지 확인합니다.
  • 문제를 해결해야 하는 클러스터가 프로젝트 Fleet에 등록되었는지 확인합니다. gcloud container fleet memberships list(또는 glcoud container fleet memberships describe MEMBERSHIP_NAME, 여기서 MEMBERSHIP_NAME은 클러스터의 고유 이름)를 실행하여 클러스터가 등록되었는지 확인할 수 있습니다.
  • 프로젝트에 gkehub.rbacrolebindings.create 권한이 있는지 확인합니다. 이 권한은 gkehub.editorgkehub.admin 역할에 포함됩니다. 지원팀 액세스를 사용 설정하려면 필요합니다.
  • 프로젝트에 connectgateway.googleapis.com을 사용 설정했는지 확인합니다. 프로젝트 소유자가 아닌 경우 serviceusage.services.enable 권한을 부여받아야 이 작업을 수행할 수 있습니다.

클러스터에 대한 지원팀 액세스 관리

클러스터에 대해 지원팀 액세스를 사용 설정하려면 읽기 전용 Kubernetes 역할 기반 액세스 제어(RBAC) 정책을 대상 클러스터에 전파하는 gcloud 명령어를 실행합니다. 사용자가 이 명령어를 성공적으로 실행하기 전까지는 지원팀이 사용자의 클러스터를 볼 수 없습니다. 명령어가 적용되는 RBAC 정책을 보려면 RBAC 정책 미리 검토를 참조하세요.

클러스터에 대해 지원팀 액세스를 사용 설정하려면 다음 명령어를 실행합니다.

# enable Connect Gateway API
gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID

# generate RBAC to enable access
gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \
--project=PROJECT_ID

# verify the access is enabled
gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \
--project=PROJECT_ID

다음을 바꿉니다.

  • MEMBERSHIP_NAME: 이 Fleet에서 클러스터를 고유하게 나타내기 위해 사용되는 이름입니다. Fleet 멤버십 상태 가져오기에서 클러스터의 멤버십 이름을 확인하는 방법을 확인할 수 있습니다.
  • PROJECT_ID: 클러스터가 등록된 프로젝트 ID입니다.

지원 케이스가 종료되면 Google이 지원팀의 클러스터 액세스 권한을 삭제합니다. 다음 명령어를 실행하여 Google의 클러스터 액세스 권한을 수동으로 삭제할 수 있습니다.

gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \
--project=PROJECT_ID

RBAC 정책 미리 검토

또한 제안된 RBAC 정책을 파일에 출력하여 정책 규칙에 있는 리소스 목록을 미리 보고 맞춤화한 후 다음 명령어를 사용해서 이를 클러스터에 직접 적용할 수 있습니다.

# enable Connect Gateway API
gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID

# display RBAC policies but don't apply them
gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \
--project=PROJECT_ID
--rbac-output-file=RBAC_OUTPUT_FILE

# directly apply the modified policies to the cluster
kubectl apply -f RBAC_OUTPUT_FILE

명령어가 적용되는 RBAC 정책

프로젝트 ID 및 프로젝트 번호가 {PROJECT-NUMBER} 대신 출력에 표시됩니다.

VMware용 Anthos 클러스터

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      - apiGroups:
        - onprem.cluster.gke.io
        resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
        verbs: [get, list, watch]
      - apiGroups:
        - vsphereproviderconfig.k8s.io
        resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

베어메탈용 Anthos 클러스터

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      - apiGroups:
        - addon.baremetal.cluster.gke.io
        resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - baremetal.cluster.gke.io
        resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
        verbs: [get, list, watch]
      - apiGroups:
        - infrastructure.baremetal.cluster.gke.io
        resources:
        - baremetalclusters
        - baremetalmachines
        verbs: [get, list, watch]
      - apiGroups:
        - networking.baremetal.cluster.gke.io
        resources:
        - dpv2multinics
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

Anthos 연결 클러스터

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

GKE 클러스터

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

Google Cloud 지원팀 사용 감사

지원팀은 Connect Gateway API를 통해 프로젝트별 전용 Google Cloud 서비스 계정을 사용해서 클러스터에 액세스합니다. Cloud 감사 로그를 사용하여 모든 지원 활동을 감사할 수 있습니다.

사용량을 검토하려면 데이터 액세스 감사 로그를 사용 설정하고 호출자 IDservice-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com으로 설정된 감사 로그를 찾습니다. 감사 로그의 labels.k8s-request-path 필드에서 액세스된 리소스를 볼 수 있습니다.

이 감사 로그 데이터를 보는 방법은 Cloud 감사 로그 보기를 참조하세요.

Connect 게이트웨이에 사용 가능한 감사 로그 작업을 보려면 감사 작업을 참조하세요.

FAQ

Google이 액세스할 수 있는 대상은 무엇인가요?

이 흐름에 따라 Google Cloud 지원팀은 비PII 리소스에 읽기 전용으로 액세스할 수 있습니다. 즉, 예를 들어 보안 비밀, 토큰 등의 민감한 정보에는 Google이 액세스할 수 없습니다. 또한 Google Cloud 지원팀은 kubectl exec와 같은 명령어를 실행해서 포드/노드에 셸로 연결해서 기본 VM/머신과 직접 상호작용할 수 없습니다. 액세스할 수 있는 리소스 목록은 여기를 참조하세요.

Google이 내 클러스터에 수행할 수 있는 변경사항은 무엇인가요?

Google에는 읽기 전용 액세스가 부여됩니다. Google Cloud 지원팀은 클러스터를 수정할 수 없습니다. Google Cloud 지원팀에 문제 해결을 위한 권장 조치가 있으면 고객이 변형 명령어를 실행하도록 요청합니다.

Google에 이 액세스 권한이 부여되는 기간은 얼마나 되나요?

지원 케이스가 종료되면 Google이 지원팀의 클러스터 액세스 권한을 삭제합니다. 또한 여기에 표시된 명령어를 사용해서 이러한 권한을 수동으로 삭제할 수 있습니다.

클러스터에 어떻게 액세스하나요?

Google Cloud 지원팀은 이미 사용 설정된 Connect 게이트웨이 서비스를 사용해서 클러스터에 액세스합니다. 클러스터에는 새 소프트웨어가 설치되지 않습니다. 자세한 내용은 Connect 보안 기능을 참조하세요.

Google에 이 액세스 권한이 필요한 이유는 무엇인가요?

Google Cloud 지원팀은 클러스터 리소스에 대한 실시간 읽기 전용 액세스 권한을 통해 문제를 보다 쉽게 파악할 수 있습니다. 또한 이렇게 하면 중간에 필요한 커뮤니케이션이 감소하여 Google Cloud 지원팀이 문제를 훨씬 더 빠르게 분류하고 해결할 수 있습니다.

내 클러스터에서 액세스된 리소스를 확인할 수 있나요?

클러스터에 대한 모든 Google Cloud 지원팀 활동은 Cloud 감사 로그를 통해 감사할 수 있습니다. 자세한 내용은 여기를 참조하세요.