Google Cloud 外の登録済みクラスタで問題が発生し、お客様自身で解決できない場合は、問題をすばやく把握して優先順位を付けることができるように、クラスタへの読み取り専用アクセス権を Google Cloud サポートに付与するように求められる場合があります。このページでは、そうした情報を Google Cloud サポートと共有する方法について説明します。
このページは、サービスレベル目標(SLO)が達成されていない場合やアプリケーションで障害が発生した場合にアラートやページに対応し、デバッグして根本原因を見つける IT 管理者とオペレーターを対象としています。 Google Cloud のコンテンツで使用されている一般的なロールとタスクの例の詳細については、一般的な GKE ユーザーのロールとタスクをご覧ください。
このサポートフローでは、サポートケース用に専用の Google Cloud サービス アカウントが設定され、クラスタへの読み取り専用アクセス権が付与されます。サポートチームは問題の解決にあたって、このサービス アカウントで読み取り専用コマンドを実行し、Pod の一覧表示、コンテナ イメージを pull した結果の確認、ノードのステータスの検査などを行います。サポートチームがクラスタに変更を加えることはできません。
始める前に
- 次のコマンドライン ツールがインストールされていることを確認します。
- 最も古いバージョン
486.0.0を含む Google Cloud CLI。アクセスを有効にするために使用します。Google Cloud CLI をインストールする必要がある場合は、インストール ガイドをご覧ください。 kubectl。Kubernetes クラスタにコマンドを実行するために使用します。kubectlをインストールする必要がある場合は、インストール ガイドをご覧ください。
- 最も古いバージョン
- プロジェクトで使用する gcloud CLI が初期化されていることを確認します。
- トラブルシューティングが必要なクラスタがプロジェクト フリートに登録されていることを確認します。クラスタの登録状況を確認するには、
gcloud container fleet memberships listを実行します(またはgcloud container fleet memberships describe MEMBERSHIP_NAMEを実行します。ここで、MEMBERSHIP_NAME はクラスタの一意の名前にします)。 - プロジェクトで
gkehub.rbacrolebindings.create権限があることを確認します。この権限は、gkehub.editorロールとgkehub.adminロールに含まれています。サポートへのアクセスを有効にするには、この権限が必要です。 - プロジェクトの
connectgateway.googleapis.comが有効になっていることを確認します。プロジェクト オーナーでない場合、この操作を行うにはserviceusage.services.enable権限が付与されている必要があります。
クラスタに対するサポート アクセスを管理する
クラスタに対するサポート アクセスを有効にするには、gcloud コマンドを実行して、一連の読み取り専用の Kubernetes ロールベース アクセス制御(RBAC)ポリシーをターゲット クラスタに伝播します。このコマンドが正常に実行されるまで、サポートチームはクラスタを確認できません。コマンドで適用する RBAC ポリシーを確認するには、RBAC ポリシーを事前に確認するをご覧ください。
クラスタのサポート アクセスを有効にするには、次のコマンドを実行します。
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # generate RBAC to enable access gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \ --project=PROJECT_ID # verify the access is enabled gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \ --project=PROJECT_ID
次のように置き換えます。
- MEMBERSHIP_NAME: そのフリートでクラスタを一意に表すために使用される名前。クラスタのメンバーシップ名を確認する方法については、フリートのメンバーシップ登録状況を取得するをご覧ください。
- PROJECT_ID: クラスタが登録されているプロジェクト ID。
サポートケースの終了後、サポートチームはクラスタへのアクセス権限を削除します。次のコマンドを実行して、クラスタにアクセスするための Google の権限を手動で削除することもできます。
gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \ --project=PROJECT_ID
RBAC ポリシーを事前に確認する
指定された RBAC ポリシーは、ファイルに出力してからプレビューし、ポリシールールのリソースリストをカスタマイズして、次のコマンドでクラスタに直接適用することもできます。
# enable Connect Gateway API gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID # display RBAC policies but don't apply them gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \ --project=PROJECT_ID \ --rbac-output-file=RBAC_OUTPUT_FILE # directly apply the modified policies to the cluster kubectl apply -f RBAC_OUTPUT_FILE
コマンドによって適用される RBAC ポリシー
出力には、{PROJECT-NUMBER} ではなく、プロジェクト ID とプロジェクト番号が表示されます。
VMware 用 Google Distributed Cloud
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- onprem.cluster.gke.io
resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
verbs: [get, list, watch]
- apiGroups:
- vsphereproviderconfig.k8s.io
resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
ベアメタル用 Google Distributed Cloud
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
- apiGroups:
- addon.baremetal.cluster.gke.io
resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
verbs: [get, list, watch]
- apiGroups:
- baremetal.cluster.gke.io
resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
verbs: [get, list, watch]
- apiGroups:
- infrastructure.baremetal.cluster.gke.io
resources:
- baremetalclusters
- baremetalmachines
verbs: [get, list, watch]
- apiGroups:
- networking.baremetal.cluster.gke.io
resources:
- dpv2multinics
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
GKE 接続クラスタ
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
GKE クラスタ
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
rules:
- apiGroups:
- ""
resourceNames:
- service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
resources:
- users
verbs:
- impersonate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-imp-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-imp-actuation-gke-fleet-support-access
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
rules:
- apiGroups:
- acme.cert-manager.io
resources: [challenges, orders]
verbs: [get, list, watch]
- apiGroups:
- addons.gke.io
resources:[metricsserver, monitoring, stackdrivers]
verbs: [get, list, watch]
- apiGroups:
- admissionregistration.k8s.io
resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
verbs: [get, list, watch]
- apiGroups:
- anthos.gke.io
resources: [entitlements, healthcheckjobs, healthchecks]
verbs: [get, list, watch]
- apiGroups:
- apiextensions.k8s.io
resources: [customresourcedefinitions]
verbs: [get, list, watch]
- apiGroups:
- apiregistration.k8s.io
resources: [apiservices]
verbs: [get, list, watch]
- apiGroups:
- apiserver.k8s.io
resources: [flowschemas, prioritylevelconfigurations]
verbs: [get, list, watch]
- apiGroups:
- apps
resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
verbs: [get, list, watch]
- apiGroups:
- apps.k8s.io
resources: [applications]
verbs: [get, list, watch]
- apiGroups:
- authentication.gke.io
resources: [clientconfigs]
verbs: [get, list, watch]
- apiGroups:
- batch
resources: [cronjobs, jobs]
verbs: [get, list, watch]
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources: [kubeadmconfigs, kubeadmconfigtemplates]
verbs: [get, list, watch]
- apiGroups:
- bundle.gke.io
resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
verbs: [get, list, watch]
- apiGroups:
- bundleext.gke.io
resources: [nodeconfigs]
verbs: [get, list, watch]
- apiGroups:
- certificates.k8s.io
resources: [certificatesigningrequests]
verbs: [get, list, watch]
- apiGroups:
- cert-manager.io
resources: [certificaterequests, certificates, clusterissuers, issuers]
verbs: [get, list, watch]
- apiGroups:
- cilium.io
resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
verbs: [get, list, watch]
- apiGroups:
- configmanagement.gke.io
resources: [configmanagements]
verbs: [get, list, watch]
- apiGroups:
- config.gatekeeper.sh
resources: [configs]
verbs: [get, list, watch]
- apiGroups:
- coordination.k8s.io
resources: [leases]
verbs: [get, list, watch]
- apiGroups:
- cluster.k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- cluster.x-k8s.io
resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
verbs: [get, list, watch]
- apiGroups:
- clusterctl.cluster.x-k8s.io
resources: [metadata, providers]
verbs: [get, list, watch]
- apiGroups:
- crd.projectcalico.org
resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
verbs: [get, list, watch]
- apiGroups:
- discovery.k8s.io
resources: [endpointslices]
verbs: [get, list, watch]
- apiGroups:
- expansion.gatekeeper.sh
resources: [expansiontemplate]
verbs: [get, list, watch]
- apiGroups:
- extensions.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- gateway.networking.k8s.io
resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
verbs: [get, list, watch]
- apiGroups:
- hub.gke.io
resources: [memberships]
verbs: [get, list, watch]
- apiGroups:
- install.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- k8s.cni.cncf.io
resources: [network-attachment-definitions]
verbs: [get, list, watch]
- apiGroups:
- mutations.gatekeeper.sh
resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
verbs: [get, list, watch]
- apiGroups:
- networking.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- networking.k8s.io
resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
verbs: [get, list, watch]
- apiGroups:
- node.k8s.io
resources: [runtimeclasses]
verbs: [get, list, watch]
- apiGroups:
- policy
resources: [poddisruptionbudgets, podsecuritypolicies]
verbs: [get, list, watch]
- apiGroups:
- rbac.authorization.k8s.io
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, watch]
- apiGroups:
- security.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- storage.k8s.io
resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups:
- sriovnetwork.k8s.cni.cncf.io
resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
verbs: [get, list, watch]
- apiGroups:
- status.gatekeeper.sh
resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
verbs: [get, list, watch]
- apiGroups:
- telemetry.istio.io
resources: [*]
verbs: [get, list, watch]
- apiGroups:
- templates.gatekeeper.sh
resources: [constrainttemplates]
verbs: [get, list, watch]
- apiGroups:
- vm.cluster.gke.io
resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
verbs: [get, list, watch]
- apiGroups:
- '*'
resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: fleet-rrb-actuation-gke-fleet-support-access
roleRef:
apiGroup: ""
kind: ClusterRole
name: fleet-rrb-actuation-gke-fleet-support-access
subjects:
- kind: User
name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
Google Cloud サポートの使用状況を確認する
サポートチームは、Connect Gateway API を介し、プロジェクトごとに専用の Google Cloud サービス アカウントを使用してクラスタにアクセスします。すべてのサポート アクティビティは、Cloud Audit Logs を使用して監査できます。
使用状況を確認するには、データアクセス監査ログを有効にして、呼び出し元の ID が service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com に設定されている監査ログを探します。監査ログの labels.k8s-request-path フィールドにアクセスされたリソースが表示されます。
この監査ログデータの表示方法については、Cloud Audit Logs の表示をご覧ください。
Connect Gateway の使用可能な監査ログ オペレーションを表示するには、監査対象のオペレーションをご覧ください。
よくある質問
Google はどのような情報にアクセスできますか?
このフローでは、 Google Cloud サポートに個人情報を除くリソースへの読み取り専用アクセス権が付与されます。シークレットやトークンなどの機密データにはアクセスできません。また、 Google Cloud サポートが kubectl exec などのコマンドを実行して、Pod やノードにシェル接続し、基盤となる VM / マシンと直接対話することはできません。アクセス可能なリソースのリストについては、こちらをご覧ください。
Google はクラスタにどのような変更を行うことができますか?
Google には読み取り専用アクセス権が付与され、 Google Cloud サポートがクラスタを変更することはできません。 Google Cloud サポートで問題を解決するために推奨されるアクションが判明した場合は、お客様がミューテーション コマンドを実行するように求められます。
Google がこのアクセス権を保持する期間はどのくらいですか?
サポートケースの終了後、サポートチームはクラスタへのアクセス権限を削除します。こちらのコマンドを使用して、これらの権限を手動で削除することもできます。
Google Cloud サポートは、どのようにクラスタにアクセスしますか?
Google Cloud サポートは、すでに有効になっている Connect Gateway サービスを使用してクラスタにアクセスします。クラスタに新しいソフトウェアはインストールされません。詳しくは、Connect のセキュリティ機能をご覧ください。
Google がこのアクセスを必要とするのはなぜですか?
Google Cloud サポートがクラスタ リソースへのリアルタイムの読み取り専用アクセス権を得ることで、問題を簡単に把握できるようになります。さらに、何度もやり取りする必要がなくなるため、 Google Cloud サポートがより迅速に問題を切り分け、解決できるようになります。
クラスタ内でアクセスされたリソースを確認するには、どうすればよいですか?
Google Cloud サポートによるクラスタに対するアクティビティはすべて Cloud Audit Logs で確認できます。手順については、こちらをご覧ください。