Supporto del cluster GKE Enterprise remoto
Se hai un problema con i cluster registrati al di fuori di Google Cloud che non riesci a risolvere autonomamente, ti potrebbe essere chiesto di concedere all'assistenza Google Cloud l'accesso di sola lettura ai tuoi cluster per aiutarla a comprendere il problema e a risolverlo più rapidamente. Questa pagina spiega come condividere queste informazioni con l'assistenza Google Cloud .
Questa pagina è rivolta agli amministratori IT e agli operatori che rispondono agli avvisi e alle pagine quando gli obiettivi del livello di servizio (SLO) non vengono raggiunti o le applicazioni non funzionano e che eseguono il debug per trovare la causa principale. Per scoprire di più sui ruoli comuni e sulle attività di esempio a cui facciamo riferimento nei contenuti di Google Cloud , consulta Ruoli e attività comuni degli utenti GKE.
In questo flusso di assistenza, viene configurato un account di servizio Google Cloud dedicato per la tua richiesta di assistenza e gli viene concesso l'accesso di sola lettura al tuo cluster. Il team di assistenza può quindi eseguire comandi di sola lettura utilizzando questo account di servizio per elencare i pod, verificare la riuscita o il mancato pull delle immagini container, ispezionare lo stato dei nodi e così via per aiutarti a risolvere il problema. Il team di assistenza non può apportare modifiche al tuo cluster.
Prima di iniziare
- Assicurati di aver installato i seguenti strumenti a riga di comando:
- Google Cloud CLI con una versione precedente di
486.0.0per abilitare l'accesso. Se devi installare Google Cloud CLI, consulta la guida all'installazione. kubectlper l'esecuzione di comandi sui cluster Kubernetes. Se devi installarekubectl, consulta la guida all'installazione.
- Google Cloud CLI con una versione precedente di
- Assicurati di aver inizializzato gcloud CLI per l'utilizzo con il tuo progetto.
- Assicurati che i cluster per cui devi risolvere i problemi siano registrati nel parco risorse del tuo progetto. Puoi verificare che un cluster sia registrato eseguendo
gcloud container fleet memberships list(ogcloud container fleet memberships describe MEMBERSHIP_NAME, dove MEMBERSHIP_NAME è il nome univoco del cluster). - Assicurati di disporre dell'autorizzazione
gkehub.rbacrolebindings.createnel tuo progetto. Questa autorizzazione è inclusa nei ruoligkehub.editoregkehub.admin. Ti serve per attivare l'accesso all'assistenza. - Assicurati di aver attivato
connectgateway.googleapis.comper il tuo progetto. Per farlo, se non sei un proprietario del progetto, devi disporre dell'autorizzazioneserviceusage.services.enable.
Gestire l'accesso all'assistenza per il cluster
Per attivare l'accesso dell'assistenza per il cluster, esegui un comando gcloud che
propaga un insieme di criteri di controllo dell'accesso basato sui ruoli (RBAC)
di Kubernetes di sola lettura al cluster di destinazione. Il team di assistenza non potrà visualizzare i tuoi
cluster finché non avrai eseguito correttamente questo comando. Per visualizzare le policy RBAC a cui si applica il comando, consulta Esamina in anticipo le policy RBAC.
Per abilitare l'accesso all'assistenza per il cluster, esegui questi comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
Sostituisci quanto segue:
- MEMBERSHIP_NAME: il nome utilizzato per rappresentare in modo univoco il cluster nel suo parco risorse. Puoi scoprire come controllare il nome dell'appartenenza del cluster in Ottenere lo stato di appartenenza al parco risorse.
- PROJECT_ID: l'ID progetto in cui è registrato il cluster.
Una volta chiusa la richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al tuo cluster. Puoi anche eseguire questo comando per rimuovere manualmente l'autorizzazione di Google ad accedere al tuo cluster:
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
Esaminare in anticipo le policy RBAC
Puoi anche generare le policy RBAC proposte in un file per visualizzarle in anteprima, personalizzare l'elenco delle risorse nelle regole delle policy e applicarle direttamente al cluster con i seguenti comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
Policy RBAC a cui si applica il comando
Nell'output verranno visualizzati l'ID e il numero del progetto anziché
{PROJECT-NUMBER}.
Google Distributed Cloud per VMware
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- onprem.cluster.gke.io
resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
verbs: [get, list, watch]
- apiGroups:
- vsphereproviderconfig.k8s.io
resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Google Distributed Cloud per Bare Metal
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- addon.baremetal.cluster.gke.io
resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
verbs: [get, list, watch]
- apiGroups:
- baremetal.cluster.gke.io
resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
verbs: [get, list, watch]
- apiGroups:
- infrastructure.baremetal.cluster.gke.io
resources:
- baremetalclusters
- baremetalmachines
verbs: [get, list, watch]
- apiGroups:
- networking.baremetal.cluster.gke.io
resources:
- dpv2multinics
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster collegati a GKE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster GKE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Controllare l'utilizzo dell'assistenza Google Cloud
Il team di assistenza accede al tuo cluster utilizzando un account di servizio Google Cloud dedicato per progetto tramite l'API gateway di connessione. Puoi controllare tutte le attività di assistenza utilizzando Cloud Audit Logs.
Per esaminare l'utilizzo, attiva gli audit log dell'accesso ai dati e cerca gli audit log con l'identità del chiamante impostata su service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com. Potrai visualizzare la risorsa a cui è stato eseguito l'accesso nel campo labels.k8s-request-path dell'audit log.
Per ulteriori informazioni su come visualizzare questi dati del log di controllo, consulta Visualizzazione degli audit log di Cloud.
Per visualizzare le operazioni di log di controllo disponibili per il gateway di connessione, vedi Operazioni controllate.
Domande frequenti
A cosa potrà accedere Google?
Questo flusso consente Google Cloud al team di assistenza di avere accesso in sola lettura alle risorse non PII.
Ciò significa che Google non avrà accesso a dati sensibili, ad esempio a secret, token e così via.
Inoltre, Google Cloud Supporto non potrà eseguire comandi come kubectl exec per
accedere a shell in pod/nodi per interagire direttamente con VM/macchine sottostanti.
L'elenco delle risorse a cui è possibile accedere è documentato qui.
Quali modifiche potrà apportare Google al mio cluster?
In questo modo Google dispone dell'accesso in sola lettura. Google Cloud L'assistenza non potrà apportare modifiche al cluster. Se Google Cloud il team di assistenza ha suggerito azioni per risolvere il problema, al cliente verrà chiesto di eseguire comandi di mutazione.
Per quanto tempo Google avrà questo accesso?
Una volta chiusa la richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al tuo cluster. Puoi anche rimuovere manualmente queste autorizzazioni utilizzando i comandi qui.
Come si accede al cluster?
L'assistenzaGoogle Cloud utilizzerà il servizio Connect Gateway già abilitato per accedere al cluster. Non verrà installato alcun nuovo software sul cluster. Per maggiori dettagli, consulta Connettere le funzionalità di sicurezza.
Perché Google ha bisogno di questo accesso?
Questo accesso consente Google Cloud al team di assistenza di comprendere più facilmente il problema grazie all'accesso in sola lettura in tempo reale alle risorse del cluster. Inoltre, questo riduce le comunicazioni avanti e indietro, in modo che l' Google Cloud assistenza possa eseguire la valutazione e risolvere i problemi molto più rapidamente.
Dove posso vedere a quali risorse è stato eseguito l'accesso nel mio cluster?
Puoi controllare tutte le attività di Google Cloud assistenza sul tuo cluster tramite Cloud Audit Logs. Consulta le istruzioni qui.