Supporto remoto per i cluster Anthos
Se hai un problema con cluster registrati al di fuori di Google Cloud che non riesci a risolvere autonomamente, ti potrebbe essere chiesto di concedere all'assistenza Google Cloud l'accesso in sola lettura ai cluster per aiutarli a comprendere il problema e classificarlo più velocemente. Questa pagina spiega come condividere queste informazioni con l'assistenza Google Cloud.
Questa pagina è rivolta agli amministratori IT e agli operatori che rispondono agli avvisi e pagine in cui gli obiettivi del livello di servizio (SLO) non vengono soddisfatti o le applicazioni non vanno a buon fine ed eseguire il debug per trovare la causa principale. Per scoprire di più sui ruoli comuni e sulle attività di esempio a cui facciamo riferimento nei contenuti di Google Cloud, Ruoli e attività utente comuni di GKE Enterprise.
In questo flusso di assistenza, viene configurato un account di servizio Google Cloud dedicato per la richiesta di assistenza e viene concesso l'accesso in sola lettura al cluster. Il team di assistenza potrà quindi eseguire comandi di sola lettura utilizzando questo account di servizio per elencare i pod, eseguire il pull dell'immagine container con esito positivo o negativo, esaminare lo stato del nodo e così via per risolvere il problema. Il team di assistenza non può apportare modifiche al cluster.
Prima di iniziare
- Assicurati di avere installato i seguenti strumenti a riga di comando:
- Google Cloud CLI con una versione meno recente di
486.0.0
per abilitare l'accesso. Se devi installare Google Cloud CLI, consulta guida all'installazione. kubectl
per l'esecuzione di comandi sui cluster Kubernetes. Se devi installarekubectl
, consulta la Guida all'installazione.
- Google Cloud CLI con una versione meno recente di
- Assicurati di aver inizializzato la gcloud CLI per utilizzarla con il tuo progetto.
- Assicurati che i cluster di cui devi risolvere i problemi siano registrati nel parco risorse del progetto. Puoi verificare che un cluster sia registrato eseguendo
gcloud container fleet memberships list
(oglcoud container fleet memberships describe MEMBERSHIP_NAME
, dove MEMBERSHIP_NAME è il nome univoco del cluster). - Assicurati di disporre dell'autorizzazione
gkehub.rbacrolebindings.create
nel progetto. Questa autorizzazione è inclusa nei ruoligkehub.editor
egkehub.admin
. È necessario per abilitare l'accesso all'assistenza. - Assicurati di aver attivato
connectgateway.googleapis.com
per il tuo progetto. Per farlo, se non sei un proprietario del progetto, devi disporre dell'autorizzazioneserviceusage.services.enable
.
Gestisci l'accesso all'assistenza per il cluster
Per abilitare l'accesso all'assistenza per il cluster, esegui un comando gcloud
che
propaga un set di controllo degli accessi basato su ruoli (RBAC, Role-Based Access Control) di Kubernetes di sola lettura
automaticamente al cluster di destinazione. Il team di assistenza non potrà visualizzare i tuoi
cluster finché non esegui correttamente questo comando. Per vedere i criteri RBAC che
si applica il comando, vedi
Consulta le norme RBAC in anticipo.
Per abilitare l'accesso all'assistenza per il cluster, esegui questi comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
Sostituisci quanto segue:
- MEMBERSHIP_NAME: il nome utilizzato per rappresentare in modo univoco il cluster nel parco risorse. Puoi scoprire come controllare il nome dell'appartenenza al cluster in Ottenere lo stato di appartenenza al parco risorse.
- PROJECT_ID: l'ID progetto in cui è registrato il cluster.
Dopo la chiusura della richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al cluster. Puoi anche eseguire questo comando per rimuovere manualmente l'autorizzazione di Google ad accedere al cluster:
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
Esamina le norme RBAC in anticipo
Puoi anche inviare i criteri RBAC proposti in un file per visualizzarne l'anteprima. personalizzare l'elenco delle risorse nelle regole dei criteri e applicarle direttamente nel cluster con i seguenti comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
Criteri RBAC a cui viene applicato il comando
L'ID e il numero del progetto verranno visualizzati nell'output anziché
{PROJECT-NUMBER}
.
Anthos clusters on VMware
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] - apiGroups: - onprem.cluster.gke.io resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates] verbs: [get, list, watch] - apiGroups: - vsphereproviderconfig.k8s.io resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Anthos clusters on bare metal
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] - apiGroups: - addon.baremetal.cluster.gke.io resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates] verbs: [get, list, watch] - apiGroups: - baremetal.cluster.gke.io resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders] verbs: [get, list, watch] - apiGroups: - infrastructure.baremetal.cluster.gke.io resources: - baremetalclusters - baremetalmachines verbs: [get, list, watch] - apiGroups: - networking.baremetal.cluster.gke.io resources: - dpv2multinics verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster collegati ad Anthos
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster GKE
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access rules: - apiGroups: - "" resourceNames: - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-imp-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-imp-actuation-gke-fleet-support-access subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access rules: - apiGroups: - acme.cert-manager.io resources: [challenges, orders] verbs: [get, list, watch] - apiGroups: - addons.gke.io resources:[metricsserver, monitoring, stackdrivers] verbs: [get, list, watch] - apiGroups: - admissionregistration.k8s.io resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations] verbs: [get, list, watch] - apiGroups: - anthos.gke.io resources: [entitlements, healthcheckjobs, healthchecks] verbs: [get, list, watch] - apiGroups: - apiextensions.k8s.io resources: [customresourcedefinitions] verbs: [get, list, watch] - apiGroups: - apiregistration.k8s.io resources: [apiservices] verbs: [get, list, watch] - apiGroups: - apiserver.k8s.io resources: [flowschemas, prioritylevelconfigurations] verbs: [get, list, watch] - apiGroups: - apps resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset] verbs: [get, list, watch] - apiGroups: - apps.k8s.io resources: [applications] verbs: [get, list, watch] - apiGroups: - authentication.gke.io resources: [clientconfigs] verbs: [get, list, watch] - apiGroups: - batch resources: [cronjobs, jobs] verbs: [get, list, watch] - apiGroups: - bootstrap.cluster.x-k8s.io resources: [kubeadmconfigs, kubeadmconfigtemplates] verbs: [get, list, watch] - apiGroups: - bundle.gke.io resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements] verbs: [get, list, watch] - apiGroups: - bundleext.gke.io resources: [nodeconfigs] verbs: [get, list, watch] - apiGroups: - certificates.k8s.io resources: [certificatesigningrequests] verbs: [get, list, watch] - apiGroups: - cert-manager.io resources: [certificaterequests, certificates, clusterissuers, issuers] verbs: [get, list, watch] - apiGroups: - cilium.io resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads] verbs: [get, list, watch] - apiGroups: - configmanagement.gke.io resources: [configmanagements] verbs: [get, list, watch] - apiGroups: - config.gatekeeper.sh resources: [configs] verbs: [get, list, watch] - apiGroups: - coordination.k8s.io resources: [leases] verbs: [get, list, watch] - apiGroups: - cluster.k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets] verbs: [get, list, watch] - apiGroups: - cluster.x-k8s.io resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets] verbs: [get, list, watch] - apiGroups: - clusterctl.cluster.x-k8s.io resources: [metadata, providers] verbs: [get, list, watch] - apiGroups: - crd.projectcalico.org resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels] verbs: [get, list, watch] - apiGroups: - discovery.k8s.io resources: [endpointslices] verbs: [get, list, watch] - apiGroups: - expansion.gatekeeper.sh resources: [expansiontemplate] verbs: [get, list, watch] - apiGroups: - extensions.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - gateway.networking.k8s.io resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes] verbs: [get, list, watch] - apiGroups: - hub.gke.io resources: [memberships] verbs: [get, list, watch] - apiGroups: - install.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - k8s.cni.cncf.io resources: [network-attachment-definitions] verbs: [get, list, watch] - apiGroups: - mutations.gatekeeper.sh resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses] verbs: [get, list, watch] - apiGroups: - networking.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - networking.k8s.io resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings] verbs: [get, list, watch] - apiGroups: - node.k8s.io resources: [runtimeclasses] verbs: [get, list, watch] - apiGroups: - policy resources: [poddisruptionbudgets, podsecuritypolicies] verbs: [get, list, watch] - apiGroups: - rbac.authorization.k8s.io resources: [clusterroles, clusterrolebindings, roles, rolebindings] verbs: [get, list, watch] - apiGroups: - security.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - storage.k8s.io resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments] verbs: [get, list, watch] - apiGroups: - sriovnetwork.k8s.cni.cncf.io resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs] verbs: [get, list, watch] - apiGroups: - status.gatekeeper.sh resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses] verbs: [get, list, watch] - apiGroups: - telemetry.istio.io resources: [*] verbs: [get, list, watch] - apiGroups: - templates.gatekeeper.sh resources: [constrainttemplates] verbs: [get, list, watch] - apiGroups: - vm.cluster.gke.io resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes] verbs: [get, list, watch] - apiGroups: - '*' resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: fleet-rrb-actuation-gke-fleet-support-access roleRef: apiGroup: "" kind: ClusterRole name: fleet-rrb-actuation-gke-fleet-support-access subjects: - kind: User name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Controllare l'utilizzo dell'assistenza Google Cloud
Il team di assistenza accede al cluster utilizzando un account di servizio Google Cloud dedicato per singolo progetto tramite l'API Connect Gateway. Puoi controllare tutte le attività di assistenza utilizzando Cloud Audit Logs.
Per esaminare l'utilizzo, abilita gli audit log di accesso ai dati e cerca quelli con l'identità del chiamante impostata su service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com
. Potrai vedere la risorsa a cui è stato eseguito l'accesso nel campo labels.k8s-request-path
del log di controllo.
Per ulteriori informazioni su come visualizzare questi dati dei log di controllo, consulta Visualizzazione degli audit log di Cloud.
Per visualizzare le operazioni dei log di controllo disponibili per il gateway di connessione, vedi Operazioni sottoposte a controllo.
Domande frequenti
A quali dati potrà accedere Google?
Questo flusso consente all'Assistenza Google Cloud di avere accesso in sola lettura alle risorse non PII.
Ciò significa che Google non avrà accesso a dati sensibili, ad esempio a secret, token e così via. Inoltre, l'Assistenza Google Cloud non potrà eseguire comandi come kubectl exec
per eseguire comandi shell in pod/nodi per interagire direttamente con le VM/macchine sottostanti.
L'elenco delle risorse a cui è possibile accedere è documentato qui.
Quali modifiche potrà apportare Google al mio cluster?
In questo modo Google dispone dell'accesso di sola lettura; l'assistenza di Google Cloud non potrà per apportare modifiche al cluster. Se l'assistenza Google Cloud ha suggerito azioni necessarie per risolvere il problema, al cliente verrà chiesto di eseguire comandi di mutazione.
Per quanto tempo Google avrà questo accesso?
Dopo la chiusura della richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al cluster. Puoi anche rimuovere manualmente queste autorizzazioni utilizzando i comandi qui.
Come si accede al cluster?
L'assistenza di Google Cloud utilizzerà il servizio Connect Gateway già abilitato per per accedere al cluster. Non verranno installati nuovi software nel cluster. Consulta Connetti le funzionalità di sicurezza per maggiori dettagli.
Perché Google ha bisogno di questo accesso?
Questo accesso consente all'assistenza Google Cloud di comprendere più facilmente il problema con accesso di sola lettura in tempo reale alle risorse del cluster. Inoltre, questo riduce le comunicazioni in modo continuativo in modo che l'assistenza Google Cloud possa classificare e risolvere i problemi in modo molto più rapido.
Dove posso vedere a quali risorse è stato eseguito l'accesso nel mio cluster?
Puoi controllare tutte le attività di assistenza Google Cloud sul tuo cluster tramite Cloud Audit Logs. Vedi le istruzioni qui.