Assigned
Status Update
No update yet.
Comments
ch...@doit.com
Information redacted by Android Beta Feedback.
ka...@google.com
ch...@doit.com
Please provide the requested information to proceed further. Unfortunately the issue will be closed within 7 days if there is no further update.
ch...@doit.com
(Between the 24 hour wait and misreading a section of the docs on this page
Correction/Clarification of bug:
- Create a service account with
roles/container.defaultNodeServiceAccount - Find the service account's uniqueID, by running something like this:
gcloud iam service-accounts describe gmp-test-sa@chrism-playground-369416.iam.gserviceaccount.com | grep uniqueId - Create a GKE nodepool with the nodepool's GCP service account set to the uniqueId of the service account.
(The node's IAM rights will function correctly, but the warning in the title will come up as a false positive.) - The bug is that the check is too basic:
- It fails when your GKE nodepool's GCP service account is set to the email of the service account +
roles/container.defaultNodeServiceAgent(This is technically an incorrect failure, because roles/container.defaultNodeServiceAgent is equal to roles/container.defaultNodeServiceAccount just with 1 extra permission, so there's no permissions missing.) (That said the false positive error message is fine in this scenario, given roles/container.defaultNodeServiceAgent is a legacy role intended to be replaced by roles/container.defaultNodeServiceAccount. Plus following the documented instructions fixes the issue) - The second failure is more problematic. If you have a GCP SA with roles/container.defaultNodeServiceAccount (which is correct), and attach it to a nodepool using it's uniqueID, the check logic will fail and say you don't have roles/container.defaultNodeServiceAccount attached when it is, and then the docs aren't helpful, thus my statement of problematic. (Fix would be to either update the check logic to check for the scenario of attaching service account with correct IAM role by uniqueId. Or update the docs to say If you see this error when you have the correct role attached to the service account, check if you've attached the service account to your nodepool using uniqueId, if so replace it with the email reference of the service account.)
- It fails when your GKE nodepool's GCP service account is set to the email of the service account +
- I was able to get the error to go away when I recreated the nodepool to use the email reference of the service account instead of the uniqueId.
Also feature request:
- Can a method to manually trigger the GKE Notification to update be implemented?
(Otherwise whenever one needs to debug it they need to wait 24 hours between iterations.)
Description
Problem you have encountered:
GKE Notification to "Grant critical permissions" links to a webpage that's incorrect.
Steps to reproduce:
What you expected to happen & What's wrong:
Insight:
Node service account in cluster is missing critical permissions, which results in degraded operations. Grant critical permissions to Node service account to allow for non-degraded operations. (Link)Learn more(Link).
roles/container.defaultinto the box to search roles That page informed me a new role roles/container.defaultNodeServiceAgent exists and is meant to replace the old role roles/container.defaultNodeServiceAccount.Other information (workarounds you have tried, documentation consulted, etc):
https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts#default-gke-service-agent
These 2 documentation pages are out of date: