אם נתקלתם בבעיה באשכולות רשומים מחוץ ל- Google Cloud ואתם לא מצליחים לפתור אותה בעצמכם, יכול להיות שתתבקשו להעניק לצוות התמיכה שלGoogle Cloud גישת קריאה בלבד לאשכולות שלכם כדי לעזור לו להבין את הבעיה ולטפל בה מהר יותר. האשכולות האלה יכולים להיות ב-Bare Metal, ב-VMware, ב-GDC Connected, ב-GKE ב-AWS, ב-GKE ב-Azure או באשכולות GKE מצורפים.
בדף הזה מוסבר איך לשתף את המידע הזה עם התמיכה של Google Cloud .
הדף הזה מיועד לאדמינים ולמפעילים בתחום ה-IT שמגיבים להתראות ולדפים כשלא עומדים ביעדי רמת השירות (SLO) או כשאפליקציות נכשלות, ומבצעים ניפוי באגים כדי למצוא את שורש הבעיה. מידע נוסף על תפקידים נפוצים ומשימות לדוגמה שאנחנו מתייחסים אליהם בתוכן זמין במאמר תפקידים נפוצים של משתמשים ומשימות ב-GKE. Google Cloud
בתהליך התמיכה הזה, מוגדר חשבון שירות ייעודי Google Cloud לבקשת התמיכה שלכם, וניתנת לו הרשאת קריאה בלבד לאשכול. צוות התמיכה יכול להשתמש בחשבון השירות הזה כדי להריץ פקודות לקריאה בלבד, לפרט את הפודים, לבדוק אם משיכת קובץ אימג' של קונטיינר הצליחה או נכשלה, לבדוק את סטטוס הצומת וכו', כדי לעזור לפתור את הבעיה. צוות התמיכה לא יכול לבצע שינויים באשכול.
מידע נוסף על תמיכה:
לפני שמתחילים
- ודאו שכלי שורת הפקודה הבאים מותקנים:
- Google Cloud CLI עם הגרסה הכי מוקדמת של
486.0.0להפעלת הגישה. אם אתם צריכים להתקין את Google Cloud CLI, תוכלו להיעזר במדריך ההתקנה. -
kubectlלהרצת פקודות באשכולות Kubernetes. אם אתם צריכים להתקין אתkubectl, תוכלו להיעזר במדריך ההתקנה.
- Google Cloud CLI עם הגרסה הכי מוקדמת של
- מוודאים שאתחלתם את ה-CLI של gcloud לשימוש בפרויקט.
- מוודאים שהאשכולות שרוצים לפתור בהם בעיות רשומים ב-Fleet של הפרויקט. כדי לוודא שהאשכול רשום, מריצים את הפקודה
gcloud container fleet memberships list(אוgcloud container fleet memberships describe MEMBERSHIP_NAME, כאשר MEMBERSHIP_NAME הוא השם הייחודי של האשכול). - מוודאים שיש לכם הרשאת
gkehub.rbacrolebindings.createבפרויקט. ההרשאה הזו כלולה בתפקידיםgkehub.editorו-gkehub.admin. ההרשאה הזו נדרשת כדי להפעיל גישה לתמיכה. - מוודאים שהפעלתם את
connectgateway.googleapis.comבפרויקט. כדי לעשות זאת, אם אתם לא בעלי הפרויקט, אתם צריכים לקבל את ההרשאהserviceusage.services.enable.
ניהול גישת התמיכה לאשכול
כדי להפעיל גישה לתמיכה באשכול, מריצים פקודה gcloud שמעבירה קבוצה של כללי מדיניות של בקרת גישה מבוססת-תפקידים (RBAC) ב-Kubernetes לקריאה בלבד לאשכול היעד. צוות התמיכה לא יוכל לראות את האשכולות שלכם עד שתריצו את הפקודה הזו בהצלחה. כדי לראות את מדיניות ה-RBAC שהפקודה מחילה, אפשר לעיין במאמר בדיקת מדיניות ה-RBAC מראש.
כדי להפעיל גישת תמיכה לאשכול, מריצים את הפקודות הבאות:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
מחליפים את מה שכתוב בשדות הבאים:
- MEMBERSHIP_NAME: השם שמשמש לייצוג ייחודי של האשכול ב-Fleet. במאמר קבלת סטטוס החברות בצי מוסבר איך בודקים את שם החברות באשכול.
- PROJECT_ID: מזהה הפרויקט שבו האשכול רשום.
אחרי סגירת בקשת התמיכה, Google מסירה את הרשאת צוות התמיכה לגשת לאשכול. אפשר גם להריץ את הפקודה הבאה כדי להסיר באופן ידני את ההרשאה של Google לגשת לאשכול:
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
עיון מראש במדיניות RBAC
אפשר גם להוציא את הצעות המדיניות של RBAC לקובץ כדי להציג תצוגה מקדימה, להתאים אישית את רשימת המשאבים בכללי המדיניות ולהחיל אותם ישירות על האשכול באמצעות הפקודות הבאות:
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
מדיניות RBAC שהפקודה מחילה
מזהה הפרויקט ומספר הפרויקט יופיעו בפלט במקום {PROJECT-NUMBER}.
Google Distributed Cloud ל-VMware
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- onprem.cluster.gke.io
resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
verbs: [get, list, watch]
- apiGroups:
- vsphereproviderconfig.k8s.io
resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Google Distributed Cloud for Bare Metal
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- addon.baremetal.cluster.gke.io
resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
verbs: [get, list, watch]
- apiGroups:
- baremetal.cluster.gke.io
resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
verbs: [get, list, watch]
- apiGroups:
- infrastructure.baremetal.cluster.gke.io
resources:
- baremetalclusters
- baremetalmachines
verbs: [get, list, watch]
- apiGroups:
- networking.baremetal.cluster.gke.io
resources:
- dpv2multinics
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
אשכולות GKE מצורפים
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
אשכולות GKE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
ביקורת על השימוש בתמיכה של Google Cloud
צוות התמיכה ניגש לאשכול שלכם באמצעות חשבון שירות ייעודי של Google Cloud לכל פרויקט, דרך connect gateway API. אפשר לבדוק את כל פעילויות התמיכה באמצעות יומני הביקורת של Cloud.
כדי לבדוק את השימוש, מפעילים את יומני הביקורת Data Access ומחפשים יומני ביקורת עם זהות המתקשר שמוגדרת ל-service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com. תוכלו לראות את המשאב שאליו ניגשו בשדה labels.k8s-request-path ביומן הביקורת.
מידע נוסף על צפייה בנתוני יומן הביקורת זמין במאמר צפייה ביומני ביקורת של Cloud.
כדי לראות את הפעולות הזמינות ביומן הביקורת של שער החיבור, אפשר לעיין במאמר בנושא פעולות מבוקרות.
שאלות נפוצות
לאילו נתונים תהיה ל-Google גישה?
התהליך הזה מאפשר לצוות התמיכה לקבל הרשאת קריאה בלבד למשאבים שלא כוללים מידע שלא מאפשר זיהוי אישי. Google Cloud
המשמעות היא של-Google לא תהיה גישה למידע אישי רגיש, למשל לסודות, לטוקנים וכו'. בנוסף, Google Cloud צוות התמיכה לא יוכל להריץ פקודות כמו kubectl exec כדי להיכנס ל-pods או לצמתים ולקיים אינטראקציה ישירה עם מכונות וירטואליות או מכונות בסיסיות.
רשימת המשאבים שאפשר לגשת אליהם מפורטת כאן.
אילו שינויים Google תוכל לבצע באשכול שלי?
כך Google מקבלת הרשאת קריאה בלבד, Google Cloud ולצוות התמיכה לא תהיה אפשרות לבצע שינויים באשכול. אם לצוות התמיכה יש הצעות לפעולות לפתרון הבעיה, הלקוח יתבקש להריץ פקודות שינוי. Google Cloud
לכמה זמן תהיה ל-Google גישה לחשבון?
אחרי סגירת בקשת התמיכה, Google מסירה את הרשאת צוות התמיכה לגשת לאשכול. אפשר גם להסיר את ההרשאות האלה באופן ידני באמצעות הפקודות שמפורטות כאן.
איך ניגשים לאשכול?
צוות התמיכה ישתמש בשירות Connect Gateway שכבר הופעל כדי לגשת לאשכול.Google Cloud לא תהיה אפשרות להתקין תוכנות חדשות באשכול. פרטים נוספים זמינים במאמר בנושא חיבור תכונות אבטחה.
למה Google צריכה את הגישה הזו?
הגישה הזו מאפשרת לצוות התמיכה להבין את הבעיה בקלות רבה יותר, כי יש לו גישת קריאה בלבד בזמן אמת למשאבי האשכול. Google Cloud בנוסף, כך מצטמצם הצורך בתקשורת הלוך ושוב, וצוות Google Cloud התמיכה יכול לסווג ולפתור בעיות הרבה יותר מהר.
איפה אפשר לראות לאילו משאבים הייתה גישה באשכול?
אפשר לבדוק את כל Google Cloud פעילויות התמיכה באשכול באמצעות יומני הביקורת של Cloud. כאן אפשר למצוא הוראות.