[英]Use GCP debugger but got permission error
I add @google-cloud/debug-agent
on my nodejs project which is deployed on GKE.我在部署在 GKE 上的 nodejs 项目中添加了@google-cloud/debug-agent
。
But I got error:但我得到了错误:
restify listening to http://[::]:80
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
I have checked my GKE have the debug permission.我已检查我的 GKE 是否具有调试权限。 I don't know why the service didn't have permission.我不知道为什么该服务没有权限。
Here is the code I define on my index.ts这是我在 index.ts 上定义的代码
import * as tracer from '@google-cloud/trace-agent';
tracer.start();
import * as debug from '@google-cloud/debug-agent';
debug.start();
This issue can be resolved by doing the following:可以通过执行以下操作来解决此问题:
1 - Create a new Cluster with these permissions enabled (ie Cloud Debugger/ Cloud Platform 'Enabled') and with the required scopes. 1 - 创建一个启用了这些权限(即云调试器/云平台“已启用”)和所需范围的新集群。 [1] [1]
Example:例子:
$ gcloud container clusters create example-cluster-name --scopes https://www.googleapis.com/auth/cloud_debugger --zone $ gcloud 容器集群创建 example-cluster-name --scopes https://www.googleapis.com/auth/cloud_debugger --zone
2- You can use the same YAML config files you used to deploy your original workloads in the new cluster. 2- 您可以使用用于在新集群中部署原始工作负载的相同 YAML 配置文件。 You must make sure you have the required scopes for this to work.您必须确保您拥有所需的范围才能使其工作。
You can review how authentication and scopes work using [2] [3] .您可以使用[2] [3]查看身份验证和范围的工作方式。
I found the issue is caused by workload identity, so I just close this feature to fix this issue.我发现问题是由工作负载身份引起的,所以我只是关闭了这个功能来解决这个问题。
Because I select to launch the workload identity feature.因为我选择启动工作负载身份功能。 Every pod which needs to connect GCP service will need to create a service account for these pods.每个需要连接 GCP 服务的 pod 都需要为这些 pod 创建一个服务帐户。 Otherwise, the permission will be blocked.否则,权限将被阻止。
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.