是否需要重新创建Google容器引擎群集才能修改API权限？ [英] Is it necessary to recreate a Google Container Engine cluster to modify API permissions?

问题描述

在阅读此早期问题后，我有一些关注问题。我有一个Google Container Engine集群，它缺少Cloud Monitoring API访问权限。根据这篇文章，我不能启用它。

After reading this earlier question, I have some follow-up questions. I have a Google Container Engine cluster which lacks the Cloud Monitoring API Access permission. According to this post I cannot enable it.

引用的帖子是一年前的。可以肯定的是：它仍然是正确的吗？要为我的GKE群集启用（例如）Cloud Monitoring API，我们将不得不重新创建整个群集，因为群集创建后无法更改这些权限？

The referenced post is one year old. Just to be sure: Is it still correct? To enable (for example) the Cloud Monitoring API for my GKE cluster, we would have to recreate the entire cluster because there is no way to change these permissions after cluster creation?

另外，如果我必须这样做，在我看来最好是以尽可能最广泛的权限启用所有API，以防万一我希望将来在我的生产群集中使用其中一个时，它可能处于使用，我不能很好地把整个东西都拿下来然后重新创建它。这种方法有什么缺点吗？

Also, if I have to do this it seems to me that it would be best to enable all API's with the broadest possible permissions, just in case that I want to start using one of them in the future on my production cluster when it's in use and I can't very well take the entire thing down and recreate it then. Are there any drawbacks to this approach?

推荐答案

您可以保留相同的群集，但创建一个新的 Node Pool ，然后删除旧的默认节点池：

You can keep the same cluster, but create a new Node Pool with the new scopes you need (and then delete your old "default" Node Pool):

gcloud container node-pools create new-np --cluster $CLUSTER --scopes monitoring

启用所有权限的缺点在于您在许多不同的地方使用相同的服务帐户。例如，如果我的 service-account-1 需要从此GKE集群访问云监控，但它也在不相关的GCE VM上使用，我可能不希望GCE VM可以访问我的云监控数据。

The drawback to enabling all permissions is if you use the same service account in many different places. For example, if my service-account-1 needs to access Cloud Monitoring from this GKE cluster, but it is also being used on an unrelated GCE VM, I might not want that GCE VM to have access to my Cloud Monitoring data.

这篇关于是否需要重新创建Google容器引擎群集才能修改API权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！