6

After reading this earlier question, I have some follow-up questions. I have a Google Container Engine cluster which lacks the Cloud Monitoring API Access permission. According to this post I cannot enable it.

The referenced post is one year old. Just to be sure: Is it still correct? To enable (for example) the Cloud Monitoring API for my GKE cluster, we would have to recreate the entire cluster because there is no way to change these permissions after cluster creation?

Also, if I have to do this it seems to me that it would be best to enable all API's with the broadest possible permissions, just in case that I want to start using one of them in the future on my production cluster when it's in use and I can't very well take the entire thing down and recreate it then. Are there any drawbacks to this approach?

Community
  • 1
  • 1
Juul
  • 93
  • 2
  • 8

1 Answers1

5

You can keep the same cluster, but create a new Node Pool with the new scopes you need (and then delete your old "default" Node Pool):

gcloud container node-pools create new-np --cluster $CLUSTER --scopes monitoring

The drawback to enabling all permissions is if you use the same service account in many different places. For example, if my service-account-1 needs to access Cloud Monitoring from this GKE cluster, but it is also being used on an unrelated GCE VM, I might not want that GCE VM to have access to my Cloud Monitoring data.

CJ Cullen
  • 5,452
  • 1
  • 26
  • 34
  • Thank you, that worked just fine and saved us a lot of reconfiguration! :) – Juul Oct 21 '16 at 10:33
  • 3
    Where do the cluster level permissions come into play if you can recreate the node pool with different permissions? – Leon Dec 02 '16 at 06:56
  • @Juul I do not see any options on google cloud console platform to re-enable/disable an API when creating a new node pool on an existing cluster. Creating a new node pool does not give any options regarding changing the current status of an API in an existing cluster. As far as I know, it is not possible to re-enable/disable an API on existing cluster, if in case it is possible, please correct me and Can you/anyone please let me know the exact step on how the API was re-enabled on an existing cluster. Thank you so much – Suhas Chikkanna Nov 17 '17 at 17:47
  • @SuhasChikkanna I would love to help you with this issue, but since I opened this issue I moved to another company, so I don't have access to a GCP cluster anymore with which I can reproduce my steps. However, I do seem to recall that the option was indeed not present in the UI, but it DOES work if you use the command line interface as explained in CJ Cullen's answer. Perhaps you can try it this way? – Juul Nov 20 '17 at 11:57
  • @Juul Thank you so much for the reference. It should help me :) – Suhas Chikkanna Nov 20 '17 at 15:52