无法将 Micrometer 指标写入 Google Stackdriver 监控:权限被拒绝

问题描述 投票:0回答:1

我收到了

io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).
    at io.grpc.Status.asRuntimeException(Status.java:539)
    ... 14 common frames omitted
Wrapped by: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).

来自

io.micrometer.stackdriver.StackdriverMeterRegistry
在 GCP 上。

我的 GKE 集群配置如下:

resource "google_container_cluster" "primary-cluster" {
  provider = google-beta

  project  = var.project_id
  name     = "${var.project_id}-autopilot-cluster"
  location = var.region

  node_locations = toset(var.k8s_node_zones)

  ip_allocation_policy {
  }

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.vpc-subnet.name

  min_master_version = var.k8s_min_cluster_version

  release_channel {
    channel = var.k8s_release_channel
  }

  enable_autopilot = true

  cluster_autoscaling {
    auto_provisioning_defaults {
      service_account = google_service_account.gke-service-account.email
      image_type      = "COS_CONTAINERD"
      disk_size       = 10
      oauth_scopes = [
        "https://www.googleapis.com/auth/cloud-platform",
        "https://www.googleapis.com/auth/devstorage.full_control",
        "https://www.googleapis.com/auth/logging.write",
        "https://www.googleapis.com/auth/monitoring",
        "https://www.googleapis.com/auth/monitoring.read",
        "https://www.googleapis.com/auth/monitoring.write"
      ]
    }
  }

}

resource "google_project_iam_member" "logging_writer" {
  project = var.project_id
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.gke-service-account.email}"
}

resource "google_project_iam_member" "metric_writer" {
  project = var.project_id
  role    = "roles/monitoring.metricWriter"
  member  = "serviceAccount:${google_service_account.gke-service-account.email}"
}

并且 

gke-service-account
具有 
roles/monitoring.metricWriter
角色。 我确实看到了 OOTB GKE 指标以及日志记录也有效。

GCP 中的 Autopilot 集群强制使用 Workload Identity。会不会跟这个有关系?这会很令人困惑,因为我可以在 Stackdriver Logging 和错误报告中看到日志。 此外,我的一个 POD 也可以使用 

com.google.cloud.storage.Storage
毫无问题地访问云存储。

google-cloud-platform google-kubernetes-engine stackdriver
1个回答
0
投票

Workload Identity 将允许您将 Kubernetes 服务帐户与 Google 服务帐户相关联。当您在 GKE 上运行的应用程序需要与各种 GCP 服务交互时,它可以实现更安全、更细粒度的访问控制。

要在 GKE 集群上配置 Workload Identity,请参阅此文档

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.