无法在堆栈驱动程序中获取Istio网关日志

Question

我已经在启用WLI的私有GKE上部署了Istio。Istio正在与Istioctl和istio-operator一起安装。我想知道我的出站请求是否卡在任何地方，而且我无法看到，因为我收到了以下错误：

CreateTimeSeries request failed (1 RPCs, 16 views, 20 timeseries): PERMISSION_DENIED: Permission monitoring.timeSeries.create denied (or the resource may not exist)。我可以看到附加到网关的服务帐户是istio-egressgateway-service-account，它不是由我显式创建的。我认为这是由ISTIO创建的。所以我想了解如何解决这个问题。我有点担心把这个服务帐户附加到GCP IAM服务帐户上，因为它是由Istio管理的，我不想打扰它。

是因为工作负载标识(WLI)还是其他原因？我怎样才能解决这个问题。任何想法和帮助都将不胜感激。GKE版本: 1.17.9-gke.1504 Istio版本1.7.x

Answer 1

对于正在搜索和查看此页面的任何人：

参考：工作负载标识

export GCP_PROJECT=my-project
export GCP_SA=gke-prometheus
export K8S_SA=prometheus
export K8S_NS=prometheus

gcloud iam service-accounts create ${GCP_SA} --display-name=${GCP_SA}

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT}.svc.id.goog[${K8S_NS}/${K8S_SA}]" \
  ${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com

gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/monitoring.viewer


gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/logging.logWriter


gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/stackdriver.resourceMetadata.writer


kubectl annotate serviceaccount ${K8S_SA} \
  iam.gke.io/gcp-service-account="${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  -n ${K8S_NS}