Supporto remoto per i cluster Anthos
Se hai un problema con i cluster registrati al di fuori di Google Cloud che non riesci a risolvere autonomamente, ti potrebbe essere chiesto di concedere all'Assistenza Google Cloud l'accesso di sola lettura ai tuoi cluster per aiutarli a comprendere il problema e a classificarlo più rapidamente. In questa pagina viene spiegato come condividere queste informazioni con l'assistenza Google Cloud.
Questa pagina è rivolta agli amministratori IT e agli operatori che rispondono agli avvisi e pagine in cui gli obiettivi del livello di servizio (SLO) non vengono soddisfatti o le applicazioni non vanno a buon fine ed eseguire il debug per trovare la causa principale. Per scoprire di più sui ruoli comuni e sugli esempi di attività a cui facciamo riferimento nei contenuti di Google Cloud, consulta Ruoli e attività comuni degli utenti di GKE Enterprise.
In questo flusso di assistenza, viene configurato un account di servizio Google Cloud dedicato per la richiesta di assistenza e viene concesso l'accesso in sola lettura al cluster. Il team di assistenza può quindi eseguire comandi di sola lettura utilizzando questo account di servizio per elencare i pod, il successo/l'errore del pull delle immagini container, ispezionare lo stato del nodo e così via per aiutarti a risolvere il problema. Il team di assistenza non può apportare modifiche al cluster.
Prima di iniziare
- Assicurati di aver installato i seguenti strumenti a riga di comando:
- Google Cloud CLI con una versione precedente di
486.0.0per attivare l'accesso. Se devi installare Google Cloud CLI, consulta guida all'installazione. kubectlper l'esecuzione di comandi sui cluster Kubernetes. Se devi installarekubectl, consulta la guida all'installazione.
- Google Cloud CLI con una versione precedente di
- Assicurati di aver inizializzato la gcloud CLI da utilizzare con il tuo progetto.
- Assicurati che i cluster di cui devi risolvere i problemi siano registrati nel parco risorse del progetto. Puoi verificare che un cluster sia registrato eseguendo
gcloud container fleet memberships list(oglcoud container fleet memberships describe MEMBERSHIP_NAME, dove MEMBERSHIP_NAME è il nome univoco del cluster). - Assicurati di disporre dell'autorizzazione
gkehub.rbacrolebindings.createnel progetto. Questa autorizzazione è inclusa nei ruoligkehub.editoregkehub.admin. È necessario per abilitare l'accesso all'assistenza. - Assicurati di aver attivato
connectgateway.googleapis.comper il tuo progetto. Per farlo, se non sei un proprietario del progetto, devi disporre dell'autorizzazioneserviceusage.services.enable.
Gestisci l'accesso all'assistenza per il cluster
Per abilitare l'accesso all'assistenza per il cluster, esegui un comando gcloud che
propaga un set di controllo degli accessi basato su ruoli (RBAC, Role-Based Access Control) di Kubernetes di sola lettura
al cluster di destinazione. Il team di assistenza non potrà visualizzare i tuoi
cluster finché non esegui correttamente questo comando. Per visualizzare i criteri RBAC applicati dal comando, consulta Esaminare in anticipo i criteri RBAC.
Per abilitare l'accesso all'assistenza per il cluster, esegui questi comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
Sostituisci quanto segue:
- MEMBERSHIP_NAME: il nome utilizzato per rappresentare in modo univoco il cluster nel parco risorse. Puoi scoprire come controllare il nome dell'appartenenza al cluster in Ottenere lo stato di appartenenza al parco risorse.
- PROJECT_ID: l'ID progetto in cui è registrato il cluster.
Una volta chiusa la richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al tuo cluster. Puoi anche eseguire il seguente comando per rimuovere manualmente l'autorizzazione di Google ad accedere al tuo cluster:
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
Esamina le norme RBAC in anticipo
Puoi anche esportare i criteri RBAC proposti in un file per visualizzarne un'anteprima, personalizzare l'elenco delle risorse nelle regole del criterio e applicarli direttamente al cluster con i seguenti comandi:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
Criteri RBAC a cui si applica il comando
L'output mostrerà l'ID e il numero del progetto anziché
{PROJECT-NUMBER}.
Anthos clusters on VMware
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- onprem.cluster.gke.io
resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
verbs: [get, list, watch]
- apiGroups:
- vsphereproviderconfig.k8s.io
resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Anthos clusters on bare metal
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- addon.baremetal.cluster.gke.io
resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
verbs: [get, list, watch]
- apiGroups:
- baremetal.cluster.gke.io
resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
verbs: [get, list, watch]
- apiGroups:
- infrastructure.baremetal.cluster.gke.io
resources:
- baremetalclusters
- baremetalmachines
verbs: [get, list, watch]
- apiGroups:
- networking.baremetal.cluster.gke.io
resources:
- dpv2multinics
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster collegati ad Anthos
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Cluster GKE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Controllare l'utilizzo dell'assistenza Google Cloud
Il team di assistenza accede al cluster utilizzando un account di servizio Google Cloud dedicato per singolo progetto tramite l'API Connect Gateway. Puoi controllare tutte le attività di assistenza utilizzando Cloud Audit Logs.
Per esaminare l'utilizzo, abilita gli audit log di accesso ai dati e cerca gli audit log con l'identità chiamante impostata su service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com. Potrai vedere la risorsa a cui è stato eseguito l'accesso nel campo labels.k8s-request-path del log di controllo.
Per ulteriori informazioni su come visualizzare questi dati dei log di controllo, consulta Visualizzazione degli audit log di Cloud.
Per visualizzare le operazioni di audit log disponibili per la connessione del gateway, vedi Operazioni controllate.
Domande frequenti
A quali dati potrà accedere Google?
Questo flusso consente all'Assistenza Google Cloud di avere accesso in sola lettura alle risorse non PII.
Ciò significa che Google non avrà accesso a dati sensibili, ad esempio a secret, token e così via. Inoltre, l'Assistenza Google Cloud non potrà eseguire comandi come kubectl exec per eseguire comandi shell in pod/nodi per interagire direttamente con le VM/macchine sottostanti.
L'elenco delle risorse a cui è possibile accedere è documentato qui.
Quali modifiche potrà apportare Google al mio cluster?
In questo modo Google dispone dell'accesso di sola lettura; l'assistenza di Google Cloud non potrà per apportare modifiche al cluster. Se l'assistenza Google Cloud ha suggerito azioni necessarie per risolvere il problema, al cliente verrà chiesto di eseguire comandi di mutazione.
Per quanto tempo Google avrà questo accesso?
Dopo la chiusura della richiesta di assistenza, Google rimuove l'autorizzazione del team di assistenza ad accedere al cluster. Puoi anche rimuovere manualmente queste autorizzazioni utilizzando i comandi qui.
Come si accede al cluster?
L'assistenza di Google Cloud utilizzerà il servizio Connect Gateway già abilitato per per accedere al cluster. Non verranno installati nuovi software sul cluster. Per maggiori dettagli, consulta Funzionalità di sicurezza di Connect.
Perché Google ha bisogno di questo accesso?
Questo accesso consente all'Assistenza Google Cloud di comprendere più facilmente il problema grazie all'accesso in sola lettura in tempo reale alle risorse del cluster. Inoltre, questo riduce le comunicazioni in modo continuativo in modo che l'assistenza Google Cloud possa classificare e risolvere i problemi in modo molto più rapido.
Dove posso vedere a quali risorse è stato eseguito l'accesso nel mio cluster?
Puoi controllare tutte le attività dell'Assistenza Google Cloud nel tuo cluster tramite Cloud Audit Logs. Vedi le istruzioni qui.