更改风险建议

更改风险建议能够以智能方式标记对大多数重要资源的常见风险性更改，并提供建议来预防和缓解问题，从而帮助您降低云基础架构配置错误的风险。

简介

配置错误是云突发事件的常见原因。此类错误可能会因人为错误或意外工作负载更改而发生，可能导致各种问题，包括性能问题、可靠性问题，甚至会造成中断。许多配置错误最初可能未被发现，因此难以跟踪和解决。

更改风险建议是 Recommender 服务中新增的 Active Assist 建议和数据分析系列。对于根据使用情况和其他信号确定为“重要”级别的云资源，更改风险建议会自动标记出对其进行的风险性更改，帮助防止、检测和缓解因这类重要云资源的配置错误而引发的问题，例如服务中断。例如，如果您尝试删除某个频繁使用的项目，或者修改可能是重要依赖项的某条 IAM 政策（根据近期使用活动判断），则更改风险建议会主动警告您与指定更改相关的风险，帮助防止出现意外问题。

更改风险建议范围

目前，仅下表中列出的资源和操作支持更改风险建议。

须知事项

开始使用此功能之前，您必须先设置服务：

1. 在单个结算项目上启用 Recommender API。然后，您可以使用此结算项目和 gcloud/API 的结算项目功能检索其他项目、整个组织或结算账号的建议和数据分析。
2. 向将用于访问此功能的用户或服务账号授予权限。

权限

如需查看“更改风险建议”所给出的建议，您必须拥有特定资源的特定权限。

• 项目

  • recommender.resourcemanagerProjectChangeRiskRecommendations.get
  • recommender.resourcemanagerProjectChangeRiskRecommendations.list
  • recommender.resourcemanagerProjectChangeRiskInsights.get
  • recommender.resourcemanagerProjectChangeRiskInsights.list

• 服务账号

  • recommender.iamServiceAccountChangeRiskRecommendations.get
  • recommender.iamServiceAccountChangeRiskRecommendations.list
  • recommender.iamServiceAccountChangeRiskInsights.get
  • recommender.iamServiceAccountChangeRiskInsights.list

• IAM 政策

  • recommender.iamPolicyChangeRiskRecommendations.get
  • recommender.iamPolicyChangeRiskRecommendations.list
  • recommender.iamPolicyChangeRiskInsights.get
  • recommender.iamPolicyChangeRiskInsights.list

您还可以授予 roles/recommender.viewer 角色，以涵盖这些权限。

了解更改风险建议/数据分析的响应

下表介绍了建议和数据分析对象中显示的字段：

建议

数据分析

查看更改风险建议

除了上面讨论的使用模式之外，您还可以使用 Recommender 服务的标准方法来查看项目、服务账号或 IAM 政策的更改风险建议和数据分析：

• Google Cloud 控制台
• API
• gcloud

Google Cloud 控制台

您可以在产品页面本身查看更改风险建议和数据分析。只要您拥有上述权限，这些建议就会自动有效。

Active Assist 会在您要删除重要资源时发出危险警告，并在以下情况下出现该警告时指明要采取的措施：

• 删除项目
• 删除服务账号
• 删除政策绑定

gcloud 和 API

以下部分介绍用于通过 gcloud 和 API 针对项目、服务账号或 IAM 政策请求变更风险建议和数据分析的命令。

项目

所有客户都可以通过 Google Cloud 控制台、gcloud 或 Recommender API 访问数据分析和建议。

gcloud recommender recommendations list
--recommender=google.resourcemanager.project.ChangeRiskRecommender
--project=PROJECT_ID  --location=global --format=yaml

gcloud recommender insights list
--insight-type=google.resourcemanager.project.ChangeRiskInsight
--project=PROJECT_ID  --location=global --format=yaml

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "x-goog-user-project: BILLING_PROJECT_ID " "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/
recommenders/google.resourcemanager.project.ChangeRiskRecommender/recommendations"

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "x-goog-user-project: BILLING_PROJECT_ID " "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/insightTypes/google.resourcemanager.project.ChangeRiskInsight/insights"

服务账号

所有客户都可以通过 Google Cloud 控制台、gcloud 或 Recommender API 访问有关服务账号的数据分析和建议。

gcloud recommender recommendations list
--recommender=google.iam.serviceAccount.ChangeRiskRecommender
--project=PROJECT_ID  --location=global --format=yaml

gcloud recommender insights list
--insight-type=google.iam.serviceAccount.ChangeRiskInsight
--project=PROJECT_ID  --location=global --format=yaml

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "x-goog-user-project: BILLING_PROJECT_ID " "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/
recommenders/google.iam.serviceAccount.ChangeRiskRecommender/recommendations"

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "x-goog-user-project: BILLING_PROJECT_ID " "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/insightTypes/google.iam.serviceAccount.ChangeRiskInsight/insights"

IAM 政策

所有客户都可以通过 Google Cloud 控制台、gcloud 或 Recommender API 访问有关 IAM 政策的数据分析和建议。

gcloud recommender recommendations list --recommender=google.iam.policy.ChangeRiskRecommender --project=PROJECT_ID  --location=global --format=yaml

gcloud recommender insights list --insight-type=google.iam.policy.ChangeRiskInsight --project=PROJECT_ID  --location=global --format=yaml

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/\recommenders/google.iam.policy.ChangeRiskRecommender/recommendations"

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "x-goog-user-project: BILLING_PROJECT_ID " "https://recommender.googleapis.com/v1/projects/PROJECT_ID /locations/global/insightTypes/google.iam.policy.ChangeRiskInsight/insights"

使用 gcloud CLI 进行风险性删除

通过 gcloud CLI 删除资源时，您可以在 ALPHA 版轨道中使用可选的隐藏标志 --recommend=yes 来中断存在风险的更改。下面显示了受支持的风险性更改以及建议的示例。如果未显示风险评估，则更改被视为没有风险。

项目删除

以下命令可删除项目：

  gcloud alpha projects delete PROJECT_ID  --recommend=yes

您会看到以下受支持的风险性更改和建议：

  Shutting down this project will immediately:
    - Stop all traffic and billing.
    - Start deleting resources.
    - Schedule the final deletion of the project after 30 days.
    - Block your access to the project.
    - Notify the owner of the project.

  Learn more about the shutdown process at
  https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects

  WARNING: If you shut down this project you risk losing data or interrupting your services. In the last 30 days we observed this project had:
    - It had significant usage, including 9942 API calls.
    - It contains at least 1 highly utilized service account.
    - It included at least 211 resources.

  We recommend verifying this is the correct project to shut down.

  View the full risk assessment at: https://console.cloud.google.com/home/recommendations/view-link/projects/123456/locations/global/recommenders/google.resourcemanager.project.ChangeRiskRecommender/recommendations/reco-id-0000-0000-000000000

  Do you want to continue (Y/n)?  n

删除服务账号

以下命令将删除服务账号：

  gcloud alpha iam service-accounts delete example@PROJECT_ID .iam.gserviceaccount.com --recommend=yes

您会看到以下受支持的风险性更改和建议：

  You are about to delete service account [example@PROJECT_ID .iam.gserviceaccount.com]

  Deleting this service account (SA) will delete all associated key IDs, and will prevent the account from authenticating to any Google Cloud service API.

  You cannot restore or roll back this change easily. We highly recommend disabling the account first, testing for any unexpected impact, and only then deleting.

  WARNING: If you delete this SA you risk interrupting your service, as we observed it was substantially used in the last 90 days.

  We recommend verifying this is the correct account to delete.

  View the full risk assessment at: https://console.cloud.google.com/home/recommendations/view-link/projects/123456/locations/global/recommenders/google.iam.serviceAccount.ChangeRiskRecommender/recommendations/reco-id-0000-0000-000000000

  Do you want to continue (Y/n)?  n

如果看到以下错误：

  ERROR: (gcloud.alpha.iam.service-accounts.delete) NOT_FOUND: Method not found.
  - '@type': type.googleapis.com/google.rpc.DebugInfo
    detail: 'Method ListInsights not found for service recommender.googleapis.com. Method not visible to labels: {PUBLIC}'

确保将项目配置设置为已加入许可名单、可以通过以下命令使用 Alpha Recommender API 的项目：

  gcloud config set project PROJECT_ID

项目 IAM 政策绑定删除

以下命令可删除项目 IAM 政策绑定：

  gcloud alpha projects remove-iam-policy-binding PROJECT_ID  --member=YOUR_EMAIL@DOMAIN.COM  --role=roles/owner --recommend=yes

您会看到以下受支持的风险性更改和建议：

  You are about to delete the role [roles/owner].

  WARNING: If you remove the role [roles/owner], there is a high risk that you might cause interruptions because it was used in the last 90 days.

  We recommend you verify the details and replace them with less privileged roles, if necessary.

  View the full risk assessment at: https://console.cloud.google.com/home/recommendations/view-link/projects/123456/locations/global/recommenders/google.iam.policy.ChangeRiskRecommender/recommendations/reco-id-0000-0000-000000000

  Do you want to continue (Y/n)?  n

反馈和支持

如果出现技术问题或希望提供反馈，请发送电子邮件至 active-assist-feedback@google.com。