如何解决GKE响应“ 403未经授权”的日志记录问题

时间:2018-12-28 05:17:15

标签: logging http-status-code-403 google-kubernetes-engine

我正在GKE上开发一个应用程序,该应用程序具有带堆栈驱动程序日志记录功能的日志记录功能。

现在我遇到了如下所述的问题。

【日志】

https://logging.googleapis.com/v2/entries:write?alt=json返回了“未经授权的用户访问209122328335“>

上面提到的日志在这里输出(★)。

    def __logging_v1(self):
        def create_service():
            from oauth2client.client import GoogleCredentials
            credentials = GoogleCredentials.get_application_default()

            print(credentials.service_account_email) # ☆

            from googleapiclient import discovery
            return discovery.build('logging',
                                   'v2', 
                             discoveryServiceUrl=discovery.V2_DISCOVERY_URI, 
                                   credentials=credentials,
                                   cache_discovery=False)

        body = self.__get_body()
        req = create_service().entries().write(body=body)

        try:
            req.execute()
        except Exception as err:
            # for system-log to detect an abnormality
            print('StackDriver AlertTag')
            print(err) # ★Here

在一个点(☆)上,我确认指定了一个服务帐户,该帐户作为密钥安装在容器上,并具有IAM设置的某些角色(■1)。

■1

App Engine manager
BigQuery manager
Stackdriver Debugger agent
Stackdriver Profiler agent
Cloud SQL manager
Cloud Taskmanager
Cloud Trace manager
Compute manager
Cloud Datastore index manager
Cloud Datastore oner
Error Reporting manager
Logging manager
Monitoring manager
Pub/Sub manager
Service Management manager
Service controller
Source Repository manager
Stackdriver Account editer
Storage manager

其他条件:

1)有效的API服务

Compute Engine API
Stackdriver Logging API
Stackdriver Monitoring API
BigQuery API
Cloud Build API
Cloud Datastore API
Cloud Firestore API
Cloud OS Login API
Cloud Pub/Sub API
Cloud Source Repositories API
Cloud SQL
Compute Engine Instance Group Manager API
Container Registry API
Firebase Rules API
Google Cloud APIs
Google Cloud Deployment Manager V2 API
Google Cloud DNS API
Google Cloud Memorystore for Redis API
Google Cloud Storage
Google Cloud Storage JSON API
Google Compute Engine Instance Group Updater API
Google Compute Engine Instance Groups API
Kubernetes Engine API
Service Management API
Service Usage API
Stackdriver API
Stackdriver Debugger API
Stackdriver Profiler API
Stackdriver Provisioning Service Private 
Stackdriver Trace API

2)群集设置

Stackdriver Logging **Valid**
Stackdriver Monitoring **Valid**

3)另一个项目上的相同来源和相同条件

没有出现以上错误日志,并且准确记录了有效

◆1

oauthScopes:
  - https://www.googleapis.com/auth/cloud-platform
  serviceAccount: default
nodeIpv4CidrSize: 24
nodePools:
- autoscaling:
    enabled: true
    maxNodeCount: 3
  config:
    diskSizeGb: 100
    diskType: pd-standard
--
    oauthScopes:
    - https://www.googleapis.com/auth/cloud-platform
    serviceAccount: default
  initialNodeCount: 2
  instanceGroupUrls:
  - https://www.googleapis.com/****
  management:
    autoRepair: true
  name: default-pool
  selfLink:
        https://container.googleapis.com/****
  status: RUNNING

1 个答案:

答案 0 :(得分:0)

解决方案:使用无限制发行的服务帐户作为资源。详细地,发布服务帐户时,在步骤3上没有任何设置(授予需要作为该服务帐户执行操作的用户或组的访问权限。)。在此步骤中,可以设置对某些用户使用服务帐户的限制

通过@Delta