我已在启用WLI的专用GKE上部署了Istio。 Istio与Istioctl 和istio-operator一起安装。我想查看我的出站请求是否卡在任何地方,并且无法看到,因此出现以下错误:
CreateTimeSeries request failed (1 RPCs, 16 views, 20 timeseries): PERMISSION_DENIED: Permission monitoring.timeSeries.create denied (or the resource may not exist)。我可以看到连接到网关的serviceaccount是 istio-egressgateway-service-account ,这不是我明确创建的。我认为这是由 ISTIO 创建的。因此,我想了解如何解决此问题。我有点担心将此服务帐户附加到GCP IAM服务帐户,因为该帐户是由Istio管理的,我不想打扰您。
是因为工作负荷身份(WLI)还是其他原因?我该如何解决。任何想法和帮助将不胜感激。 GKE版本:1.17.9-gke.1504 Istio 1.7.x版
答案 0 :(得分:0)
对于正在搜索和查看此页面的任何人:
export GCP_PROJECT=my-project
export GCP_SA=gke-prometheus
export K8S_SA=prometheus
export K8S_NS=prometheus
gcloud iam service-accounts create ${GCP_SA} --display-name=${GCP_SA}
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${GCP_PROJECT}.svc.id.goog[${K8S_NS}/${K8S_SA}]" \
${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
--member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
--role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
--member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
--role roles/monitoring.viewer
gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
--member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
--role roles/logging.logWriter
gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
--member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
--role roles/stackdriver.resourceMetadata.writer
kubectl annotate serviceaccount ${K8S_SA} \
iam.gke.io/gcp-service-account="${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
-n ${K8S_NS}