TechQA.

GCP Terraform K8s issue : Required 'compute.instances.create' permission for 'projects/*/gke-prod-app-cluster-default-pool*

66 views Asked by At

i have a problem when i try to create a cluster on GCP through terraform. It is a permission error on the default nood.

So i have my project, and i use a service account host with owner rights.

I have my code that creates the cluster, a node pool, and another service account "k8s_service_account" to give it to the node pool.

### CLUSTER  ###

# Création du cluster
resource "google_container_cluster" "prod_app_cluster" {
  name                     = "prod-app-cluster"
  project                  = var.project_id
  location                 = var.zone
  networking_mode          = "VPC_NATIVE"
  network                  = var.network_id_prod
  subnetwork               = var.subnetwork_id_prod
  initial_node_count       = 1
  remove_default_node_pool = true
  deletion_protection      = false
  logging_service          = "logging.googleapis.com/kubernetes"
  monitoring_service       = "monitoring.googleapis.com/kubernetes"
  # node_locations         = [var.second_zone]

  release_channel {
    channel = "REGULAR"
  }

  ip_allocation_policy {
    cluster_secondary_range_name  = "k8s-pod-range"
    services_secondary_range_name = "k8s-service-range"
  }

  network_policy {
    provider = "PROVIDER_UNSPECIFIED"
    enabled  = true
  }
}


### NODE POOL ###

# Node pool general
resource "google_container_node_pool" "general" {
  name       = "general"
  location   = var.region
  cluster    = var.prod_app_cluster_id
  node_count = 1

  management {
    auto_repair  = true
    auto_upgrade = true
  }

  node_config {
    preemptible  = false
    machine_type = var.machine_type

    labels = {
      role = "general"
    }

    service_account = var.k8s_service_account_email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
  }
}


### SERVICE ACCOUNT ###

# Création du service account pour kubernetes
resource "google_service_account" "k8s_service_account" {
  account_id   = "k8s-iam"
  display_name = "k8s-service-account"
  description  = "K8s Service Account"
  project      = var.project_id
}

# Attribution de rôles
resource "google_project_iam_binding" "kubernetes_service_account_roles" {
  project = var.project_id
  role    = "roles/editor"

  members = [
    "serviceAccount:${google_service_account.k8s_service_account.email}"
  ]
}

The default node pool will be deleted because i indicated it in the creation of the cluster, but before it will be deleted it is trying to be created. So after 7 minutes of the cluster being created i have this errors :

Error: Error waiting for creating GKE cluster: Google Compute Engine: Not all instances running in IGM after 13.089515691s. Expected 1, running 0, transitioning 1. Current errors:

[PERMISSIONS_ERROR]: Instance 'gke-prod-app-cluster-default-pool*' creation failed: Required 'compute.instances.create' permission for '*gke-prod-app-cluster-default-pool-5ae5b52e-zhnf' (when acting as '[email protected]');

Required 'compute.disks.create'

Required 'compute.disks.setLabels'

Required 'compute.subnetworks.use'

Required 'compute.subnetworks.useExternalIp'

What is '[email protected]', i dont have that kind of service account, and i looked if i may have deleteted it by mistake, but no, there is no service account called by that name. Edit : after a few search i saw that it is a service account created by google : https://cloud.google.com/compute/docs/access/service-accounts?hl=fr

I tried to :

  • find the problem on internet, but did not find anything relevant
  • give all permission to the service account [email protected]
  • find a service account named '[email protected]', but there is not
  • tried to give others services account with owner permissions to the node pool that i create, but that is another thing

Edit: I tried also to do that but we can see in the screen capture that is being deleted when i do terraform apply:

    gcloud projects add-iam-policy-binding <project_id> \
    --member serviceAccount:<project-number>@cloudservices.gserviceaccount.com \
    --role roles/editor

Image of @cloudservices.gserviceaccount.com being deleted

I am a bit lost, any ideas?

kubernetes google-cloud-platform terraform k8s-serviceaccount node-pools
Original Q&A
1

There are 1 answers

1
Nani On

I'll start with the service account perspective I.e. [email protected]. As per this, This service account is designed specifically to run internal Google processes on your behalf. The account is owned by Google and is not listed in the Service Accounts section of Google Cloud console. By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Google Cloud console.

Please note that this service account is only deleted when the project is deleted.

Additionally, certain resources rely on this service account and the default editor permissions granted to the service account. For example, managed instance groups and autoscaling use the credentials of this account to create, delete, and manage instances. Hence, this tells why you are running into an issue.

You may use the below command to resolve this issue

gcloud projects add-iam-policy-binding [PROJECT_ID] --member=serviceAccount:[email protected] --role=roles/editor

I hope this was helpful.

Related Questions in KUBERNETES

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in TERRAFORM

Related Questions in K8S-SERVICEACCOUNT

Related Questions in NODE-POOLS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions