更改Google容器引擎群集的权限

本文介绍了更改Google容器引擎群集的权限的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我已经能够在开发人员控制台中成功创建Google Container Cluster，并已将其部署到我的应用程序中。这一切都开始很好，但是我发现我无法连接到云端SQL，我得到了;

错误：握手闲置超时

经过一番挖掘，我没有遇到任何连接数据库的麻烦App Engine或我的本地机器，所以我觉得这有点奇怪。然后我注意到集群许可...

当我选择我的集群时，我看到以下内容;

<$ 用户信息已禁用计算读取写入存储只读任务队列已禁用 BigQuery已禁用 Cloud SQL已禁用云端数据存储区已禁用云端日志记录只写禁用云端平台

我真的希望在我的容器引擎节点中使用云存储和云SQL。我允许在我的项目设置中访问这些API中的每一个，并且我的Cloud SQL实例正在接受来自任何IP的连接（我之前一直在App Engine上的Managed VM中运行Node），所以我的想法是Google明确禁用这些API。

所以我的两部分问题是;

• 有没有我可以修改这些权限的方式吗？
• 这些API的禁用有充分的理由吗？ （我假设必须有）

非常感谢任何帮助！

解决方案

权限是在创建群集时由连接到您的节点VM的服务帐户定义的（在实例化VM后无法更改服务帐户，所以这是唯一一次可以选择权限）。

如果您使用云端控制台，请单击创建群集页面上的更多链接，您将看到可添加到您节点中的权限列表集群（全部默认关闭）。根据需要切换任何内容，并在创建群集后看到适当的权限。

如果您使用命令行创建群集，请将 - 范围命令传递给 gcloud容器集群创建以在您的节点VM上设置适当的服务帐户作用域。

I have been able to successfully create a Google Container Cluster in the developers console and have deployed my app to it. This all starts up fine, however I find that I can't connect to Cloud SQL, I get;

"Error: Handshake inactivity timeout"

After a bit of digging, I hadn't had any trouble connecting to the Database from App Engine or my local machine so I thought this was a little strange. It was then I noticed the cluster permissions...

When I select my cluster I see the following;

Permissions User info Disabled Compute Read Write Storage Read Only Task queue Disabled BigQuery Disabled Cloud SQL Disabled Cloud Datastore Disabled Cloud Logging Write Only Cloud Platform Disabled

I was really hoping to use both Cloud Storage and Cloud SQL in my Container Engine Nodes. I have allowed access to each of these API's in my project settings and my Cloud SQL instance is accepting connections from any IP (I've been running Node in a Managed VM on App Engine previously), so my thinking is that Google is Explicitly disabling these API's.

So my two part question is;

• Is there any way that I can modify these permissions?
• Is there any good reason why these API's are disabled? (I assume there must be)

Any help much appreciated!

解决方案

The permissions are defined by the service accounts attached to your node VMs during cluster creation (service accounts can't be changed after a VM is instantiated, so this the only time you can pick the permissions).

If you use the cloud console, click the "More" link on the create cluster page and you will see a list of permissions that you can add to the nodes in your cluster (all defaulting to off). Toggle any on that you'd like and you should see the appropriate permissions after your cluster is created.

If you use the command line to create your cluster, pass the --scopes command to gcloud container clusters create to set the appropriate service account scopes on your node VMs.