Is it necessary to recreate a Google Container Engine cluster to modify API permissions?

Question

After reading this earlier question, I have some follow-up questions. I have a Google Container Engine cluster which lacks the Cloud Monitoring API Access permission. Accord

Answer 1

You can keep the same cluster, but create a new Node Pool with the new scopes you need (and then delete your old "default" Node Pool):

gcloud container node-pools create new-np --cluster $CLUSTER --scopes monitoring

The drawback to enabling all permissions is if you use the same service account in many different places. For example, if my service-account-1 needs to access Cloud Monitoring from this GKE cluster, but it is also being used on an unrelated GCE VM, I might not want that GCE VM to have access to my Cloud Monitoring data.