請確認要求中的專案、區域、命名空間名稱和服務名稱皆正確無誤,且與您註冊端點的位置相符。所有 Service Directory 服務都位於區域命名空間,因此在一個區域註冊的服務與另一個區域的資料不相符。
我授予某人服務存取權,但對方持續收到 permission denied。
這可能是因為幾個原因:首先,請確認區域是否正確。如果您在命名空間或服務上設定政策,該政策只會套用至該特定區域。如果使用者嘗試在其他區域註冊或查詢相同的服務,除非您也授予該使用者該區域服務的 IAM 存取權,否則他們將無法存取。如要偵錯存取問題,請嘗試針對服務和命名空間使用 TestIamPermissions 方法。
我新增了一些端點,然後移除服務後端。為什麼端點仍在?
Service Directory 不會自動執行健康檢查或心跳檢查,除非您明確刪除端點,否則不會刪除端點。請務必在服務後端/調度器中加入程式碼,以便在端點不再存在時,從服務目錄中移除端點。建議您在端點上使用生存時間註解欄位,記錄端點上次註冊或更新的時間。
我可以查詢端點,但每次嘗試連線都會失敗。
服務目錄無法確保從用戶端可達。服務會直接將端點註冊至 Service Directory。不過,透過 Service Directory 註冊的位址可能無法路由 (尤其是當用戶端和伺服器位於不同的私人網路時)。如果端點可從用戶端路由,則可能是端點不健康。請參閱以下問題。
現有 Service Directory 命名空間已由手動建立,或使用其他整合服務建立,其名稱與您要同步的 GKE 命名空間相同。您必須重新命名或刪除現有的 Service Directory 命名空間,以免發生衝突。
服務目錄服務帳戶的權限已遭移除。
請確認 service-{PROJECT_NUMBER}@gcp-sa-servicedirectory.iam.gserviceaccount.com 具有 Service Directory Service Agent IAM 權限。如要進一步瞭解身分與存取權管理,請參閱 身分與存取權管理說明文件。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Troubleshooting\n\nWhy do I get a `not found` error when adding an endpoint?\n---------------------------------------------------------\n\nIf you are getting 404 errors when adding services or endpoints,\nensure that you have created both the namespace and the service (in that order)\nbefore adding an endpoint. The service must exist before you can add additional\nendpoints.\n\nWhen I look up a service, why don't I get any of my endpoints?\n--------------------------------------------------------------\n\nEnsure that the project, region, namespace name, and service name are all correct\nin your request and match where you registered the endpoints. All\nService Directory services live in a regional namespace, so services\nregistered with one region do not match data in a separate region.\n\nI granted someone access to a service but they continue to get `permission denied`.\n-----------------------------------------------------------------------------------\n\nThis could be for a couple of reasons. First, check that the region is correct.\nIf you set a policy on a namespace or service, the policy only applies to that\nparticular region. If the user is trying to register or lookup the same service\nin another region, they won't have access unless you grant them\nIAM access to that regional service as well. To debug access\nissues, try the\n[`TestIamPermissions`](/resource-manager/reference/rest/v1/projects/testIamPermissions)\nmethod for services and namespaces.\n\nI added some endpoints and then removed the service backend. Why are the endpoints still there?\n-----------------------------------------------------------------------------------------------\n\nService Directory does not do automatic health-checking or heartbeating, and\ndoes not remove endpoints unless you explicitly remove them. Ensure that you\nadd code to your service backends/orchestrators that remove the endpoint from\nService Directory once it no longer exists. We recommend the use of time-to-live\nannotation fields on endpoints to record the last time an endpoint was registered\nor updated.\n\nI am able to look up endpoints but every time I try to connect to them, it fails.\n---------------------------------------------------------------------------------\n\nService Directory does not ensure the reachability from the client. Services\nregister their endpoints directly with Service Directory. However, the address\nregistered with Service Directory may not be routable (especially if both the\nclient and the server are on separate private networks). If the endpoint is\nroutable from the client, then it could be due to an unhealthy endpoint.\nSee the following question.\n\nHow can I add health data for endpoints so that my clients know which one to connect to?\n----------------------------------------------------------------------------------------\n\nWhen using client-side load balancing, we recommend that service backends\noccasionally update an annotation field on the endpoint that clients can use to\nmake decisions on which backend to connect to. Service Directory does not\ninspect or evaluate this data.\n\nI've created a namespace. Why can't I assign a Cloud DNS private zone to it?\n----------------------------------------------------------------------------\n\nEnsure that you have the `servicedirectory.namespaces.associatePrivateZone`\nIAM permission for the namespace as this permission lets you\ncreate the associated private zone. By default, the Project Editor, Project\nOwner, Service Directory Admin, and Service Directory Editor roles have this\npermission.\n\nWhen I do a DNS lookup of a service, why don't I get any of my endpoints?\n-------------------------------------------------------------------------\n\nThere could be several reasons, such as the following:\n\n1. The associated namespace has been deleted. You can check this by running the [`get`](/dns/docs/reference/v1/managedZones/get) command on the private zone. If the `serviceDirectoryConfig.deletionTime` is set, then the associated namespace and all of its endpoints have been deleted.\n2. Confirm that you are issuing the request from a network that is allowed to query the private zone. You can find the network list by running the [`get`](/dns/docs/reference/v1/managedZones/get) command on the private zone.\n3. There are no (valid) endpoints for the service. Run the [`resolve`](/service-directory/docs/reference/rest/v1beta1/projects.locations.namespaces.services/resolve) command on the service through the Service Directory API to ensure that the service is not empty and has at least one valid endpoint IP. DNS support is only available for endpoints with valid IPv4 or IPv6 IP addresses.\n4. Make sure that you're querying the correct zone. For example, suppose that you create a Service Directory zone called **example.com** , and you have another (standard) private zone named **billing.example.com** . Then any DNS query to **billing.example.com** returns resource records that belong to the **billing.example.com** zone, and not the **billing** service in the Service Directory namespace that is associated with **example.com.** For more information, see [Name resolution\n order](/dns/docs/vpc-name-res-order).\n\nWhy are my GKE services not syncing to Service Directory?\n---------------------------------------------------------\n\nThere could be several reasons, such as the following:\n\n1. Confirm that you have a `ServiceDirectoryRegistrationPolicy` deployed in your GKE cluster for the namespace that you are trying to sync. Also, confirm that the services you are trying to sync match the label selector in your policy.\n2. There is already an existing Service Directory namespace that was created manually or by using some other integration with the same name as the GKE namespace you are trying to sync. You must rename or delete your existing Service Directory namespace so that there are no conflicts.\n3. Permissions from your Service Directory Service Account were removed. Make sure that `service-{PROJECT_NUMBER}@gcp-sa-servicedirectory.iam.gserviceaccount.com` has the `Service Directory Service Agent` IAM permission. For details about IAM, see the [IAM\n documentation](/iam/docs).\n\nWhat's next\n-----------\n\n- To learn more about features, see [Service Directory\n overview](/service-directory/docs/overview).\n- To get additional help, see [Get\n support](/service-directory/docs/getting-support)."]]