我收到了
io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).
at io.grpc.Status.asRuntimeException(Status.java:539)
... 14 common frames omitted
Wrapped by: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).
来自
io.micrometer.stackdriver.StackdriverMeterRegistry
在 GCP 上。
我的 GKE 集群配置如下:
resource "google_container_cluster" "primary-cluster" {
provider = google-beta
project = var.project_id
name = "${var.project_id}-autopilot-cluster"
location = var.region
node_locations = toset(var.k8s_node_zones)
ip_allocation_policy {
}
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.vpc-subnet.name
min_master_version = var.k8s_min_cluster_version
release_channel {
channel = var.k8s_release_channel
}
enable_autopilot = true
cluster_autoscaling {
auto_provisioning_defaults {
service_account = google_service_account.gke-service-account.email
image_type = "COS_CONTAINERD"
disk_size = 10
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/monitoring.read",
"https://www.googleapis.com/auth/monitoring.write"
]
}
}
}
resource "google_project_iam_member" "logging_writer" {
project = var.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.gke-service-account.email}"
}
resource "google_project_iam_member" "metric_writer" {
project = var.project_id
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.gke-service-account.email}"
}
并且
gke-service-account
具有 roles/monitoring.metricWriter
角色。
我确实看到了 OOTB GKE 指标以及日志记录也有效。
GCP 中的 Autopilot 集群强制使用 Workload Identity。会不会跟这个有关系?这会很令人困惑,因为我可以在 Stackdriver Logging 和错误报告中看到日志。 此外,我的一个 POD 也可以使用
com.google.cloud.storage.Storage
毫无问题地访问云存储。
Workload Identity 将允许您将 Kubernetes 服务帐户与 Google 服务帐户相关联。当您在 GKE 上运行的应用程序需要与各种 GCP 服务交互时,它可以实现更安全、更细粒度的访问控制。
要在 GKE 集群上配置 Workload Identity,请参阅此文档。