遠端 GKE Enterprise 叢集支援

如果註冊的叢集發生問題,且您無法自行解決,支援團隊可能會要求您授予叢集的唯讀存取權,協助他們瞭解問題並加快分類速度。 Google Cloud Google Cloud 本頁說明如何將這項資訊提供給 Google Cloud 支援團隊。

本頁面適用於 IT 管理員和運算子,他們會在服務等級目標 (SLO) 未達成或應用程式發生故障時,負責回應快訊和頁面,並進行偵錯以找出根本原因。如要進一步瞭解內容中提及的常見角色和範例工作,請參閱「常見的 GKE Enterprise 使用者角色和工作」。 Google Cloud

在這個支援流程中,系統會為您的支援案件設定專屬 Google Cloud 服務帳戶,並授予叢集的唯讀存取權。支援團隊隨後就能使用這個服務帳戶執行唯讀指令,列出 Pod、容器映像檔提取作業的成功/失敗狀態、檢查節點狀態等,協助解決問題。支援團隊無法對叢集進行任何變更。

事前準備

  • 確認您已安裝下列指令列工具:
    • Google Cloud CLI,且版本不低於 486.0.0,可啟用存取權。如需安裝 Google Cloud CLI,請參閱安裝指南
    • kubectl,可對 Kubernetes 叢集執行指令。如需安裝 kubectl,請參閱安裝指南
  • 確認您已初始化 gcloud CLI,以便搭配專案使用。
  • 請確認需要排解問題的叢集已註冊至專案機群。如要確認叢集已註冊,請執行 gcloud container fleet memberships list (或 gcloud container fleet memberships describe MEMBERSHIP_NAME,其中 MEMBERSHIP_NAME 是叢集的專屬名稱)。
  • 請確認您在專案中具備 gkehub.rbacrolebindings.create 權限。gkehub.editorgkehub.admin 角色都具備這項權限。這是啟用支援存取權的必要條件。
  • 請確認您已為專案啟用 connectgateway.googleapis.com。如要這麼做,如果您不是專案擁有者,必須獲得 serviceusage.services.enable 權限。

管理叢集的支援存取權

如要為叢集啟用支援存取權,請執行 gcloud 指令,將一組 Kubernetes 唯讀角色型存取權控管 (RBAC) 政策傳播至目標叢集。您必須成功執行這項指令,支援團隊才能查看叢集。如要查看指令套用的 RBAC 政策,請參閱「預先查看 RBAC 政策」。

如要為叢集啟用支援存取權,請執行下列指令:

# enable Connect Gateway API
gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID

# generate RBAC to enable access
gcloud container fleet memberships support-access enable MEMBERSHIP_NAME \
    --project=PROJECT_ID

# verify the access is enabled
gcloud container fleet memberships support-access describe MEMBERSHIP_NAME \
    --project=PROJECT_ID

更改下列內容:

  • MEMBERSHIP_NAME:用於在車隊中以專屬方式代表叢集的名稱。如要瞭解如何查看叢集的成員名稱,請參閱「取得機群成員狀態」。
  • PROJECT_ID:叢集註冊的專案 ID。

支援案件結案後,Google 會移除支援團隊的叢集存取權。您也可以執行下列指令,手動移除 Google 的叢集存取權:

gcloud container fleet memberships support-access disable MEMBERSHIP_NAME \
    --project=PROJECT_ID

預先查看 RBAC 政策

您也可以將建議的 RBAC 政策輸出至檔案以供預覽、自訂政策規則中的資源清單,並使用下列指令直接套用至叢集:

# enable Connect Gateway API
gcloud services enable connectgateway.googleapis.com --project=PROJECT_ID

# display RBAC policies but don't apply them
gcloud container fleet memberships support-access get-yaml MEMBERSHIP_NAME \
    --project=PROJECT_ID \
    --rbac-output-file=RBAC_OUTPUT_FILE

# directly apply the modified policies to the cluster
kubectl apply -f RBAC_OUTPUT_FILE

指令套用的 RBAC 政策

輸出內容會顯示專案 ID 和專案編號,而不是 {PROJECT-NUMBER}

適用於 VMware 的 Google Distributed Cloud

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      - apiGroups:
        - onprem.cluster.gke.io
        resources: [onpremadminclusters, onpremnodepools, onpremuserclusters, validations, onpremplatforms, onprembundles, clusterstates]
        verbs: [get, list, watch]
      - apiGroups:
        - vsphereproviderconfig.k8s.io
        resources: [vsphereclusterproviderconfigs, vspheremachineproviderconfigs]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

Google Distributed Cloud for Bare Metal

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      - apiGroups:
        - addon.baremetal.cluster.gke.io
        resources: [addonmanifests, addonoverrides, addons, addonsets, addonsettemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - baremetal.cluster.gke.io
        resources: [addonconfigurations, clustercidrconfigs, clustercredentials, clustermanifestdeployments, clusters, flatipmodes, healthchecks, inventorymachines, kubeletconfigs, machineclasses, machinecredentials, machines, nodepools, nodepoolclaims, nodeproblemdetectors, preflightchecks, secretforwarders]
        verbs: [get, list, watch]
      - apiGroups:
        - infrastructure.baremetal.cluster.gke.io
        resources:
        - baremetalclusters
        - baremetalmachines
        verbs: [get, list, watch]
      - apiGroups:
        - networking.baremetal.cluster.gke.io
        resources:
        - dpv2multinics
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

GKE 附加叢集

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

GKE 叢集

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - ""
        resourceNames:
        - service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
        resources:
        - users
        verbs:
        - impersonate
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-imp-actuation-gke-fleet-support-access
      subjects:
      - kind: ServiceAccount
        name: connect-agent-sa
        namespace: gke-connect
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      rules:
      - apiGroups:
        - acme.cert-manager.io
        resources: [challenges, orders]
        verbs: [get, list, watch]
      - apiGroups:
        - addons.gke.io
        resources:[metricsserver, monitoring, stackdrivers]
        verbs: [get, list, watch]
      - apiGroups:
        - admissionregistration.k8s.io
        resources: [mutatingwebhookconfigurations, validatingwebhookconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - anthos.gke.io
        resources: [entitlements, healthcheckjobs, healthchecks]
        verbs: [get, list, watch]
      - apiGroups:
        - apiextensions.k8s.io
        resources: [customresourcedefinitions]
        verbs: [get, list, watch]
      - apiGroups:
        - apiregistration.k8s.io
        resources: [apiservices]
        verbs: [get, list, watch]
      - apiGroups:
        - apiserver.k8s.io
        resources: [flowschemas, prioritylevelconfigurations]
        verbs: [get, list, watch]
      - apiGroups:
        - apps
        resources: [controllerrevisions, daemonsets, deployments, replicasets, statefulset]
        verbs: [get, list, watch]
      - apiGroups:
        - apps.k8s.io
        resources: [applications]
        verbs: [get, list, watch]
      - apiGroups:
        - authentication.gke.io
        resources: [clientconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - batch
        resources: [cronjobs, jobs]
        verbs: [get, list, watch]
      - apiGroups:
        - bootstrap.cluster.x-k8s.io
        resources: [kubeadmconfigs, kubeadmconfigtemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - bundle.gke.io
        resources: [bundlebuilders, bundles, clusterbundles, componentbuilders, componentlists, components, componentsets, gkeonprembundles, packagedeploymentclasses, packagedeployments, patchtemplatebuilders, patchtemplates, requirements]
        verbs: [get, list, watch]
      - apiGroups:
        - bundleext.gke.io
        resources: [nodeconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - certificates.k8s.io
        resources: [certificatesigningrequests]
        verbs: [get, list, watch]
      - apiGroups:
        - cert-manager.io
        resources: [certificaterequests, certificates, clusterissuers, issuers]
        verbs: [get, list, watch]
      - apiGroups:
        - cilium.io
        resources: [ciliumnodes, ciliumendpoints, ciliumidentities, ciliumegressnatpolicies, ciliumexternalworkloads]
        verbs: [get, list, watch]
      - apiGroups:
        - configmanagement.gke.io
        resources: [configmanagements]
        verbs: [get, list, watch]
      - apiGroups:
        - config.gatekeeper.sh
        resources: [configs]
        verbs: [get, list, watch]
      - apiGroups:
        - coordination.k8s.io
        resources: [leases]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - cluster.x-k8s.io
        resources: [clusters, controlplanes, machineclasses, machinedeployments, machinehealthchecks, machines, machinesets]
        verbs: [get, list, watch]
      - apiGroups:
        - clusterctl.cluster.x-k8s.io
        resources: [metadata, providers]
        verbs: [get, list, watch]
      - apiGroups:
        - crd.projectcalico.org
        resources: [bgpconfigurations, bgppeers, blockaffinities, clusterinformations, felixconfigurations, globalnetworkpolicies, globalnetworksets, hostendpoints, ipamblocks, ipamconfigs, ipamhandles, ippools, networkpolicies, networksets, vpntunnels]
        verbs: [get, list, watch]
      - apiGroups:
        - discovery.k8s.io
        resources: [endpointslices]
        verbs: [get, list, watch]
      - apiGroups:
        - expansion.gatekeeper.sh
        resources: [expansiontemplate]
        verbs: [get, list, watch]
      - apiGroups:
        - extensions.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - gateway.networking.k8s.io
        resources: [gatewayclasses, gateways, grpcroutes, httproutes, referencegrants, tcproutes, tlsroutes, udproutes]
        verbs: [get, list, watch]
      - apiGroups:
        - hub.gke.io
        resources: [memberships]
        verbs: [get, list, watch]
      - apiGroups:
        - install.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - k8s.cni.cncf.io
        resources: [network-attachment-definitions]
        verbs: [get, list, watch]
      - apiGroups:
        - mutations.gatekeeper.sh
        resources: [assign, assignimage, assignmetadata, modifyset, mutatorpodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - networking.k8s.io
        resources: [ingressclasses, ingresses, multiclusterconnectivityconfigs, networkgatewaygroups, networkgatewaynodes, networkinterfaces, networkloggings, networks, trafficsteerings]
        verbs: [get, list, watch]
      - apiGroups:
        - node.k8s.io
        resources: [runtimeclasses]
        verbs: [get, list, watch]
      - apiGroups:
        - policy
        resources: [poddisruptionbudgets, podsecuritypolicies]
        verbs: [get, list, watch]
      - apiGroups:
        - rbac.authorization.k8s.io
        resources: [clusterroles, clusterrolebindings, roles, rolebindings]
        verbs: [get, list, watch]
      - apiGroups:
        - security.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - storage.k8s.io
        resources: [csidrivers, csinodes, csistoragecapacities, storageclasses, volumeattachments]
        verbs: [get, list, watch]
      - apiGroups:
        - sriovnetwork.k8s.cni.cncf.io
        resources: [sriovnetworknodepolicies, sriovnetworknodestates, sriovoperatorconfigs]
        verbs: [get, list, watch]
      - apiGroups:
        - status.gatekeeper.sh
        resources: [constraintpodstatuses, constrainttemplatepodstatuses, expansiontemplatepodstatuses]
        verbs: [get, list, watch]
      - apiGroups:
        - telemetry.istio.io
        resources: [*]
        verbs: [get, list, watch]
      - apiGroups:
        - templates.gatekeeper.sh
        resources: [constrainttemplates]
        verbs: [get, list, watch]
      - apiGroups:
        - vm.cluster.gke.io
        resources: [gpuallocation, guestenvironmentdata, virtualmachineaccessrequest, virtualmachinedisk, virtualmachinepasswordresetrequest, virtualmachinetype, vmhighavailabilitypolicy, vmruntimes]
        verbs: [get, list, watch]
      - apiGroups:
        - '*'
        resources: [componentstatuses, configmaps, endpoints, events, horizontalpodautoscalers, limitranges, namespaces, nodes, persistentvolumeclaims, persistentvolumes, pods, pods/log, podtemplates, replicationcontrollers, resourcequotas, serviceaccounts, services]
        verbs: [get, list, watch]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: null
        name: fleet-rrb-actuation-gke-fleet-support-access
      roleRef:
        apiGroup: ""
        kind: ClusterRole
        name: fleet-rrb-actuation-gke-fleet-support-access
      subjects:
      - kind: User
        name: service-{PROJECT-NUMBER}@gcp-sa-anthossupport.iam.gserviceaccount.com
      

稽核 Google Cloud 支援服務用量

支援團隊會透過連線閘道 API,使用專案專屬的 Google Cloud 服務帳戶存取叢集。您可以使用 Cloud 稽核記錄稽核所有支援活動。

如要查看使用情形,請啟用資料存取稽核記錄,並找出「呼叫端身分」設為 service-PROJECT_NUMBER@gcp-sa-anthossupport.iam.gserviceaccount.com 的稽核記錄。您可以在稽核記錄的 labels.k8s-request-path 欄位中查看存取的資源。

如要進一步瞭解如何查看這類稽核記錄資料,請參閱「查看 Cloud 稽核記錄」。

如要查看連線閘道的可用稽核記錄作業,請參閱「受稽核的作業」。

常見問題

Google 可以存取哪些資料?

這個流程可讓支援團隊取得非 PII 資源的唯讀存取權。 Google Cloud 也就是說,Google 無法存取機密資料,例如密鑰、權杖等。 此外, Google Cloud 支援團隊也無法執行 kubectl exec 等指令,進入 Pod/節點的殼層,直接與基礎 VM/機器互動。 如要查看可存取的資源清單,請參閱這篇文章

Google 可以對叢集進行哪些變更?

這會授予 Google 唯讀存取權, Google Cloud 支援團隊無法修改叢集。如果支援團隊建議採取任何行動來解決問題,系統會要求顧客執行突變指令。 Google Cloud

Google 會保留這項存取權多久?

支援案件結案後,Google 會移除支援團隊的叢集存取權。您也可以使用這裡的指令手動移除這些權限。

如何存取叢集?

Google Cloud 支援團隊會使用已啟用的 Connect Gateway 服務存取叢集。叢集不會安裝任何新軟體。詳情請參閱「連結安全防護功能」。

Google 為什麼需要這項存取權?

這項存取權可讓支援團隊即時讀取叢集資源,進一步瞭解問題。 Google Cloud 此外,這也能減少來回溝通,讓 Google Cloud 支援團隊更快完成問題分類和解決問題。

我可以在哪裡查看叢集中存取的資源?

您可以透過 Cloud Audit Logs 稽核叢集上的所有 Google Cloud 支援活動。如需操作說明,請參閱這篇文章