问题
I'm testing permissions on GCP on new project, I've created a user and gave basic storage.objects.get and storage.objects.list permissions and all work, but when I moved to GKE it stopped no matter how many permissions (container.clusters.* or container.pods.* or the role Kubernetes Engine Cluster Viewer he can't view the resources with the error message
Can't access project settings for project <my_project> on service container.googleapis.com [view=CONSUMER_VIEW].
any thoughts what might be the issue ?
I also enabled the API services
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable serviceusage.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable sql-component.googleapis.com
anyone see anything basic I'm missing ?
回答1:
See the pre-defined GKE roles; while you might be lacking another role/permission (on the project itself, instead of GKE). It is impossible to tell without even knowing which command you've ran.
I'd suggest to enable troubleshooting:
gcloud services enable policytroubleshooter.googleapis.com --project=project-id
gcloud config set project project-id
gcloud policy-troubleshoot iam resource --principal-email=email --permission=permission
gcloud policy-troubleshoot iam //cloudresourcemanager.googleapis.com/projects/my-project --permission=resourcemanager.projects.getIamPolicy --principal-email=foo@example.com
This should provide an accurate insight what is going wrong and why
(some of the dummy arguments obviously require substitution).
来源:https://stackoverflow.com/questions/62751262/gcloud-console-cant-view-gke-resources