After reading this earlier question, I have some follow-up questions. I have a Google Container Engine cluster which lacks the Cloud Monitoring API Access permission. According to this post I cannot enable it.
The referenced post is one year old. Just to be sure: Is it still correct? To enable (for example) the Cloud Monitoring API for my GKE cluster, we would have to recreate the entire cluster because there is no way to change these permissions after cluster creation?
Also, if I have to do this it seems to me that it would be best to enable all API's with the broadest possible permissions, just in case that I want to start using one of them in the future on my production cluster when it's in use and I can't very well take the entire thing down and recreate it then. Are there any drawbacks to this approach?
GKE works with containerized applications. These are applications packaged into platform independent, isolated user-space instances, for example by using Docker. In GKE and Kubernetes, these containers, whether for applications or batch jobs, are collectively called workloads.
Node auto-repair helps keep the nodes in your GKE cluster in a healthy, running state. When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node.
To deploy and manage applications on a GKE cluster, you must communicate with the Kubernetes cluster management system. You typically do this by using the kubectl command-line tool.
Google Kubernetes Engine is comprised of a group of Google Compute Engine instances, which run Kubernetes. A master node manages a cluster of Docker containers. It also runs a Kubernetes API server to interact with the cluster and perform tasks, such as servicing API requests and scheduling containers.
You can keep the same cluster, but create a new Node Pool with the new scopes you need (and then delete your old "default" Node Pool):
gcloud container node-pools create new-np --cluster $CLUSTER --scopes monitoring
The drawback to enabling all permissions is if you use the same service account in many different places. For example, if my service-account-1
needs to access Cloud Monitoring from this GKE cluster, but it is also being used on an unrelated GCE VM, I might not want that GCE VM to have access to my Cloud Monitoring data.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With