无法将千分尺指标写入 Google Stackdriver 监控:权限被拒绝

Cannot write Micrometer metrics to Google Stackdriver Monitoring: Permission Denied

提问人:Stefano L 提问时间:9/28/2023 更新时间:10/24/2023 访问量:53

问:

我正在接收

io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).
    at io.grpc.Status.asRuntimeException(Status.java:539)
    ... 14 common frames omitted
Wrapped by: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission monitoring.metricDescriptors.list denied (or the resource may not exist).

从 GCP 上。io.micrometer.stackdriver.StackdriverMeterRegistry

我的 GKE 集群是这样配置的:

resource "google_container_cluster" "primary-cluster" {
  provider = google-beta

  project  = var.project_id
  name     = "${var.project_id}-autopilot-cluster"
  location = var.region

  node_locations = toset(var.k8s_node_zones)

  ip_allocation_policy {
  }

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.vpc-subnet.name

  min_master_version = var.k8s_min_cluster_version

  release_channel {
    channel = var.k8s_release_channel
  }

  enable_autopilot = true

  cluster_autoscaling {
    auto_provisioning_defaults {
      service_account = google_service_account.gke-service-account.email
      image_type      = "COS_CONTAINERD"
      disk_size       = 10
      oauth_scopes = [
        "https://www.googleapis.com/auth/cloud-platform",
        "https://www.googleapis.com/auth/devstorage.full_control",
        "https://www.googleapis.com/auth/logging.write",
        "https://www.googleapis.com/auth/monitoring",
        "https://www.googleapis.com/auth/monitoring.read",
        "https://www.googleapis.com/auth/monitoring.write"
      ]
    }
  }

}

resource "google_project_iam_member" "logging_writer" {
  project = var.project_id
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.gke-service-account.email}"
}

resource "google_project_iam_member" "metric_writer" {
  project = var.project_id
  role    = "roles/monitoring.metricWriter"
  member  = "serviceAccount:${google_service_account.gke-service-account.email}"
}

并且已经得到了这个角色。 我也确实看到了 OOTB GKE 指标以及日志记录工作。gke-service-accountroles/monitoring.metricWriter

GCP 中的 Autopilot 群集具有强制工作负载标识。会不会与此有关?这会令人困惑,因为我可以在 Stackdriver Logging 以及 Error Reporting 中看到日志。 此外,我的一个 POD 也可以毫无问题地访问 Cloud Storage。com.google.cloud.storage.Storage

google-cloud-platform google-kubernetes-engine stackdriver

评论

1赞 boredabdel 9/29/2023
这很可能是工作负载标识问题。这些权限是否被拒绝来自 pod ?如果是,则需要正确配置工作负载标识

答:

0赞 iamwillbin 10/24/2023 #1

Workload Identity 允许您将 Kubernetes 服务帐号与 Google 服务帐号相关联。当您在 GKE 上运行的应用程序需要与各种 GCP 服务交互时,它可以实现更安全、更细粒度的访问控制。

如需在 GKE 集群上配置工作负载标识,请参阅此文档

上一个:在 setter 上停止 C# 警告“可能的 Null 引用赋值”,该警告处理不可为 null 类型的 null 值

下一个:google-fluentd 是否可以配置为将日志发送到外部 splunk ?