远程 Anthos 集群支持
如果您在使用 Google Cloud 外部的已注册集群时遇到无法自行解决的问题,系统可能会要求您向 Google Cloud 支持授予您集群的只读权限,以使他们能够了解问题并更快地进行诊断。本页面介绍如何向 Google Cloud 支持共享此信息。
本页面适用于在未达到服务等级目标 (SLO),或应用出现故障并进行调试以找出根本原因时对提醒和页面做出响应的 IT 管理员和运维人员。如需详细了解我们在 Google Cloud 内容中提及的常见角色和示例任务,请参阅常见的 GKE Enterprise 用户角色和任务。
在此支持流程中,系统会为您的支持请求设置专用 Google Cloud 服务账号,并授予您集群的只读权限。然后,支持团队可以使用此服务账号运行只读命令来列出 pod、容器映像拉取成功/失败、检查节点状态等,以帮助您解决问题。支持团队无法对您的集群进行任何更改。
须知事项
- 确保您已安装以下命令行工具:
- 确保您已初始化用于您项目的 gcloud CLI。
- 确保需要进行问题排查的集群已注册到项目舰队。您可以通过运行
gcloud container fleet memberships list
(或glcoud container fleet memberships describe MEMBERSHIP_NAME
,其中 MEMBERSHIP_NAME 是集群的唯一名称)来验证集群已注册。 - 确保您在项目中拥有
gkehub.rbacrolebindings.create
权限。gkehub.editor
和gkehub.admin
角色拥有此权限。您需要此权限才能启用支持服务。 - 确保您已为项目启用
connectgateway.googleapis.com
。为此,如果您不是项目所有者,则必须获得serviceusage.services.enable
权限。
管理集群的支持访问权限
如需为集群启用支持访问权限,请运行 gcloud
命令,将一组只读 Kubernetes 基于角色的访问权限控制 (RBAC) 政策传播到目标集群。在您成功运行此命令之前,支持团队将无法查看您的集群。如需查看该命令应用的 RBAC 政策,请参阅提前查看 RBAC 政策。
如需为集群启用支持访问权限,请运行以下命令:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
请替换以下内容:
- MEMBERSHIP_NAME:用于在集群的舰队中唯一表示该集群的名称。您可以参阅获取舰队成员资格状态,了解如何检查集群的成员资格名称。
- PROJECT_ID:在其中注册集群的项目的 ID。
支持请求关闭后,Google 会移除支持团队对您集群的访问权限。 您也可以运行以下命令来手动移除 Google 对您集群的访问权限:
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
提前查看 RBAC 政策
您还可以将建议的 RBAC 政策输出到文件中以进行预览,并自定义政策规则中的资源列表,然后使用以下命令将这些资源直接应用于集群:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
命令应用的 RBAC 政策
您的项目 ID 和项目编号将出现在输出中,而不是 {PROJECT-NUMBER}
中。
Anthos Clusters on VMware
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] - apiGroups: - onprem.cluster.gke.io resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates] verbs: [get, list, watch] - apiGroups: - vsphereproviderconfig.k8s.io resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Anthos Clusters on Bare Metal
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] - apiGroups: - addon.baremetal.cluster.gke.io resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates] verbs: [get, list, watch] - apiGroups: - baremetal.cluster.gke.io resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders] verbs: [get, list, watch] - apiGroups: - infrastructure.baremetal.cluster.gke.io resources: - baremetalclusters - baremetalmachines verbs: [get, list, watch] - apiGroups: - networking.baremetal.cluster.gke.io resources: - dpv2multinics verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Anthos 连接的集群
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
GKE 集群
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
审核 Google Cloud 支持团队对您数据的使用
支持团队通过 Connect Gateway API 使用每个项目的专用 Google Cloud 服务账号访问您的集群。您可以使用 Cloud Audit Logs 审核所有支持活动。
如需查看支持团队对您数据的使用,请启用数据访问审核日志,并查找调用方身份设置为 service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com
的审核日志。您将能够在审核日志的 labels.k8s-request-path
字段中查看访问的资源。
如需详细了解如何查看此审核日志数据,请参阅查看 Cloud Audit Logs。
如需查看 Connect Gateway 的可用审核日志操作,请参阅审核的操作。
常见问题解答
Google 将可以访问哪些内容?
此流程允许 Google Cloud 支持团队拥有对非个人身份信息资源的只读权限。这意味着 Google 将无法访问敏感数据(例如 Secret、令牌等)。此外,Google Cloud 支持团队将无法运行 kubectl exec
之类的命令来 Shell 到 pod/节点以直接与底层虚拟机/机器进行交互。您可以访问此处记录,找到可以访问的资源列表。
Google 能够对我的集群进行哪些更改?
这为 Google 提供了只读访问权限,Google Cloud 支持团队将无法对集群进行任何修改。如果 Google Cloud 支持团队建议任何操作来解决问题,系统会要求客户运行变更命令。
Google 拥有此权限多长时间?
支持请求关闭后,Google 会移除支持团队对您集群的访问权限。 您还可以使用此处的命令手动移除这些权限。
集群是如何访问的?
Google Cloud 支持团队将使用已启用的 Connect Gateway 服务访问集群。集群上不会安装任何新软件。如需了解详情,请参阅 Connect 安全功能。
Google 为什么需要此访问权限?
此访问权限使 Google Cloud 支持团队能够拥有对集群资源的实时只读权限,从而更轻松地理解问题。此外,这还可以减少来回通信,因此 Google Cloud 支持团队可以更快地对问题进行分类和解决。
在哪里可以查看我的集群中访问了哪些资源?
您可以通过 Cloud Audit Logs 审核集群上的所有 Google Cloud 支持团队活动。如需说明,请参阅此处。