GKE Con​​nect成功启动,但群集未在GCP控制台上显示

时间:2019-12-13 09:00:45

标签: google-cloud-platform kops google-anthos

早上好!

我最近一直在使用GKE Con​​nect,并且一直在尝试在GCP和AWS VM上注册我的“ 远程”-kops生成的群集,以便我可以在GCP控制台。

如果您尚未了解GKE Con​​nect,则可以找到官方文档What I should see

现在的问题是,在完成了多个教程并尝试了所有内容之后,GKE Con​​nect代理似乎可以在我的k8s群集上正常运行,但是它们从未在我的GCP控制台中显示为远程群集-您可以找到有关的指导我对此here采取的步骤。

我基本上采取的步骤如下:

  1. 启用所需的GCP API
  2. 为目标集群创建服务帐户
  3. gkehub.connect 角色分配给创建的SA
  4. 生成SA的私钥
  5. 使用以下命令启动代理:
gcloud alpha container hub register-cluster ${CLUSTER_NAME} \
  --context=${CLUSTER_NAME} \
  --service-account-key-file=/var/lib/jenkins/gke-connect/${SERVICE_ACC}-gke-connect-creds.json \
  --project=${CLOUD_PROJECT}

代理已部署在我的集群上,并且容器日志显示如下:

2019/12/13 08:57:03.403373 dialer.go:261: dialer: dial: connecting to gkeconnect.googleapis.com:443...
2019/12/13 08:57:03.515452 dialer.go:272: dialer: dial: connected to gkeconnect.googleapis.com:443
2019/12/13 08:57:03.515483 tunnel.go:314: serve: opening egress stream...
2019/12/13 08:57:03.515545 tunnel.go:322: serve: registering project_number="681949624886", connection_id="db3fb4d9-1d7f-11ea-927b-0218619c9f84" connection_class="DEFAULT" agent_version="20191206-03-00" ...
2019/12/13 08:57:03.515592 dialer.go:222: Dial successful, current connections: 3
2019/12/13 08:57:08.515779 tunnel.go:374: serve: serving requests...

请注意,API请求似乎要花费很长时间-GCP的API控制台平均显示8分钟的响应时间。你们有没有经历过类似的经历?

谢谢!

编辑1 添加更多信息

由于在任何地方都没有记录,因此不确定这是如何工作的,但是GKE Con​​nect代理似乎正在处理3个连接器,这些连接器在5至8分钟后会断开连接,并具有以下跟踪模式:

2019/12/13 11:04:30.519779 dialer.go:277: dialer: dial: connection to gkeconnect.googleapis.com:443 closed after 8m1.174074486s
2019/12/13 11:04:30.519831 dialer.go:204: dialer: connection done: <nil>
2019/12/13 11:04:30.519839 dialer.go:305: dialer: backoff: reset
2019/12/13 11:04:30.519847 dialer.go:236: dialer: dial interval was 5m0.950672921s
2019/12/13 11:04:30.519859 dialer.go:180: dialer: waiting for next event, outstanding connections=2

编辑2 连通性

从群集中部署的容器内部,到所需端点的连接似乎还不错:

/usr/src/app # ping oauth2.googleapis.com
PING oauth2.googleapis.com (172.217.21.234): 56 data bytes
64 bytes from 172.217.21.234: seq=0 ttl=48 time=1.169 ms
64 bytes from 172.217.21.234: seq=1 ttl=48 time=1.165 ms

--- oauth2.googleapis.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.165/1.167/1.169 ms

/usr/src/app # ping gkeconnect.googleapis.com
PING gkeconnect.googleapis.com (172.217.22.42): 56 data bytes
64 bytes from 172.217.22.42: seq=0 ttl=48 time=1.115 ms
64 bytes from 172.217.22.42: seq=1 ttl=48 time=1.201 ms

--- gkeconnect.googleapis.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.115/1.158/1.201 ms
/usr/src/app # ping gkehub.googleapis.com
PING gkehub.googleapis.com (216.58.206.10): 56 data bytes
64 bytes from 216.58.206.10: seq=0 ttl=48 time=1.374 ms
64 bytes from 216.58.206.10: seq=1 ttl=48 time=1.428 ms

--- gkehub.googleapis.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.374/1.401/1.428 ms

/usr/src/app # ping www.googleapis.com
PING www.googleapis.com (172.217.16.202): 56 data bytes
64 bytes from 172.217.16.202: seq=0 ttl=48 time=1.357 ms
64 bytes from 172.217.16.202: seq=1 ttl=48 time=1.382 ms

--- www.googleapis.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.357/1.369/1.382 ms

/usr/src/app # ping accounts.google.com
PING accounts.google.com (172.217.23.141): 56 data bytes
64 bytes from 172.217.23.141: seq=0 ttl=48 time=1.447 ms
64 bytes from 172.217.23.141: seq=1 ttl=48 time=1.400 ms

--- accounts.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.400/1.423/1.447 ms

/usr/src/app # ping gcr.io
PING gcr.io (173.194.76.82): 56 data bytes
64 bytes from 173.194.76.82: seq=0 ttl=32 time=10.311 ms
64 bytes from 173.194.76.82: seq=1 ttl=32 time=10.386 ms

--- gcr.io ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 10.311/10.348/10.386 ms

编辑3 进一步测试

多亏了Armando的评论,我再次查看了官方repository。还发现了这些Anthos workshop,它们基本上是在讲相同的故事。

他们似乎声称集群注册需要一个列入白名单的服务帐户,但他们从未真正声明过列入白名单的过程是什么样的。

签出GKE Con​​nect脚本,codelabs几乎完成了我自己的工作:创建服务帐户,提供所需的权限,注册我的集群并生成一个KSA,其密钥可用于访问在GCP控制台上进行群集。

现在,关于 whitelisting 流程的那条草图很粗略,这可能是解决此问题的关键,但令我惊讶的是,我找不到与该流程相关的任何参考信息。

>

1 个答案:

答案 0 :(得分:2)

Anthos by Google Cloud需要付费订阅才能使用。您正在审核的文档适用于现有订阅。要尝试或购买Anthos,您需要联系销售人员。链接位于此处https://cloud.google.com/anthos/

的Anthos主页上
相关问题
最新问题