我创建了一个部署,它意味着在启用Workload身份的情况下从pubsub插入消息到bigquery,云日志不断向我发送这种日志。
{
"insertId": "test",
"jsonPayload": {
"message": "[rpc-id:test] "/computeMetadata/v1/instance/service-accounts/test@test.iam.gserviceaccount.com/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbigquery%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform" HTTP/200, started at 2022-06-24 13:40:43.261475517 +0000 UTC m=+39273.838829908",
"pid": "1"
},
"resource": {
"type": "k8s_container",
"labels": {
"container_name": "gke-metadata-server",
"pod_name": "gke-metadata-server-45thg",
"project_id": "test",
"location": "us-west2-a",
"cluster_name": "test",
"namespace_name": "kube-system"
}
},
"timestamp": "2022-06-24T13:40:43.261643773Z",
"severity": "INFO",
"labels": {
"k8s-pod/pod-template-generation": "1",
"k8s-pod/k8s-app": "gke-metadata-server",
"k8s-pod/addonmanager_kubernetes_io/mode": "Reconcile",
"compute.googleapis.com/resource_name": "gke-test-pool-1-77a7892c-l5kl",
"k8s-pod/controller-revision-hash": "test"
},
"logName": "projects/test/logs/stderr",
"sourceLocation": {
"file": "metadata.go",
"line": "142"
},
"receiveTimestamp": "2022-06-24T13:40:46.939645996Z"
}
看起来每次当我从pubsub收到消息或每次我写bigquery时,gke-metadata-server发送一个请求来验证作用域
我应该如何阻止服务器继续进行身份验证或继续生成这些日志?
我认为修改元数据服务器pod是不可能的,因为它会被调和。所以你也可以告诉Cloud Logging不要记录这些,方法是在_Default日志接收器上设置一个排除过滤器,使用以下查询:
resource.type = ("k8s_container")
resource.labels.container_name = ("gke-metadata-server")
你可以使用gcloud在Cloud Logging中配置排除过滤器,像这样:
gcloud logging sinks update "_Default"
--add-exclusion=name="ignore-gke-metadata-server",filter="resource.type = ("k8s_container")
resource.labels.container_name = ("gke-metadata-server")"
注意:("k8s_container")
后面是一个新行我注意到,由于某种原因,默认情况下,如果不设置排除过滤器,我的环境中的gke-metadata-server日志不会被发送到Cloud Logging。不知道为什么。