Login/Register
Changing Permissions of Google Container Engine Cluster
Asked Answered
Solved node.jsgoogle-cloud-storagegoogle-cloud-sqlgoogle-cloud-platformgoogle-kubernetes-engine
W

4

11

I have been able to successfully create a Google Container Cluster in the developers console and have deployed my app to it. This all starts up fine, however I find that I can't connect to Cloud SQL, I get;

 "Error: Handshake inactivity timeout"

After a bit of digging, I hadn't had any trouble connecting to the Database from App Engine or my local machine so I thought this was a little strange. It was then I noticed the cluster permissions...

When I select my cluster I see the following;

  Permissions

User info           Disabled
Compute             Read Write
Storage             Read Only
Task queue          Disabled
BigQuery            Disabled
Cloud SQL           Disabled
Cloud Datastore     Disabled
Cloud Logging       Write Only
Cloud Platform      Disabled

I was really hoping to use both Cloud Storage and Cloud SQL in my Container Engine Nodes. I have allowed access to each of these API's in my project settings and my Cloud SQL instance is accepting connections from any IP (I've been running Node in a Managed VM on App Engine previously), so my thinking is that Google is Explicitly disabling these API's.

So my two part question is;

  • Is there any way that I can modify these permissions?
  • Is there any good reason why these API's are disabled? (I assume there must be)

Any help much appreciated!

Weddle answered 24/4, 2015 at 2:8 Comment(0)
B
16

The permissions are defined by the service accounts attached to your node VMs during cluster creation (service accounts can't be changed after a VM is instantiated, so this the only time you can pick the permissions).

If you use the cloud console, click the "More" link on the create cluster page and you will see a list of permissions that you can add to the nodes in your cluster (all defaulting to off). Toggle any on that you'd like and you should see the appropriate permissions after your cluster is created.

If you use the command line to create your cluster, pass the --scopes command to gcloud container clusters create to set the appropriate service account scopes on your node VMs.

Ballot answered 24/4, 2015 at 3:56 Comment(4)
What are the options for adding a permission to an existing cluster? I need to enable Google Storage. Do I need to create a new permission and migrated the existing cluster?Badillo
As CJ says below, you can add permissions to a new node pool. If you want to change permissions on every node in your cluster, create a new node pool, migrate your workloads, and then delete the original node pool.Ballot
EDIT: as of August 2017 you can update service account scopes on running instances. See cloud.google.com/compute/docs/access/…Swagger
@aus_lacy - Changing the service account requires stopping and restarting the VM. I am not sure whether that works for a VM that is part of a managed instance group.Ballot
T
19

With Node Pools, you can sort of add scopes to a running cluster by creating a new node pool with the scopes you want (and then deleting the old one):

gcloud container node-pools create np1 --cluster $CLUSTER --scopes $SCOPES
gcloud container node-pools delete default-pool --cluster $CLUSTER
Tedi answered 19/10, 2016 at 15:55 Comment(0)
B
16

The permissions are defined by the service accounts attached to your node VMs during cluster creation (service accounts can't be changed after a VM is instantiated, so this the only time you can pick the permissions).

If you use the cloud console, click the "More" link on the create cluster page and you will see a list of permissions that you can add to the nodes in your cluster (all defaulting to off). Toggle any on that you'd like and you should see the appropriate permissions after your cluster is created.

If you use the command line to create your cluster, pass the --scopes command to gcloud container clusters create to set the appropriate service account scopes on your node VMs.

Ballot answered 24/4, 2015 at 3:56 Comment(4)
What are the options for adding a permission to an existing cluster? I need to enable Google Storage. Do I need to create a new permission and migrated the existing cluster?Badillo
As CJ says below, you can add permissions to a new node pool. If you want to change permissions on every node in your cluster, create a new node pool, migrate your workloads, and then delete the original node pool.Ballot
EDIT: as of August 2017 you can update service account scopes on running instances. See cloud.google.com/compute/docs/access/…Swagger
@aus_lacy - Changing the service account requires stopping and restarting the VM. I am not sure whether that works for a VM that is part of a managed instance group.Ballot
K
1

Hmm, I've found a couple of things, that maybe would be interested:

  1. Permissions belong to a service account (so-called Compute Engine default service account, looks like [email protected])

  2. Any VM by default works using this service account. And its permissions do not let us Cloud SQL, buckets and so on. But...

  3. But you can change this behavior using another service account with the right perms. Just create it manually and set only needed perms. Switch it out using gcloud auth activate-service-account --key-file=/new-service-account-cred.json

  4. That's it.

Kannada answered 26/10, 2019 at 19:32 Comment(0)
F
0

For the cloudsql there's the possibility to connect from containers specifying a proxy as explained here https://cloud.google.com/sql/docs/postgres/connect-container-engine

Finally answered 19/5, 2017 at 13:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.