K
Q

Google Cloud Kubernetes cluster can not connect to nodes or delete?

5/14/2018

I am using using google cloud Kubernetes service it was working until accidently i delete the service account of kubernetes service account. I have created the kubernetes service account. I can not connect to nodes delete or delete my cluster. Seems to that is permission issue. Also can not delete the computer engines. When i delete kubernetes cluster following error

(1) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/projectid/global/firewalls/gke-kubeworld-383ec9cd-vms'

(2) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/projectid/global/firewalls/gke-kubeworld-383ec9cd-ssh'

(3) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/projectid/global/firewalls/gke-kubeworld-383ec9cd-all'

(4) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/projectid/zones/us-central1-a/instanceGroupManagers/gke-kubeworld-default-pool-90dd280e-grp'

(5.1) Google Compute Engine: Required 'compute.routes.list' permission for 'projects/projectid'

(5.2) Google Compute Engine: Required 'compute.projects.get' permission for 'projects/projectid'

how to configure or grant access to allow these permissions.

-- Fahad Abid
google-cloud-iam
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

wait for other deployments to start running before other can be created?
Connection to MySQL (AWS RDS) in Istio
Multidrive access for Kubernetes Nodes
Does kubernetes cAdvisor include host machine (OS) metrics too when used with prometheus?
kubernetes : How to deattach from an attached pod

2 Answers

5/14/2018

These errors also depend on the overall situation of the project. Compute Engine service account manages lots of services, so upon deleting it, the errors come in different flavours.

When I get my SA deleted, I always do the same thing, as first step. Instead of going ahead and creating the service account manually, I enable an API that needs Compute Engine API, like Dataproc API. This should re-create Compute Engine service account, and in this case, as it is relevant, it also re-created Kubernetes Engine service account.

Once these accounts re-created, you should have different errors, as now the SA is there, but probably the token/credentials the cluster expects is the old one, but now you are passing a new token.

Can you confirm doing this you get the same errors or different? I'll edit the post once I get this info.

-- suren
Source: StackOverflow
5/14/2018

Your service account lost roles after you re-created it.

First, use gcloud auth login and log into GCE account.

After the new service account is created, the role is required to be assigned to it.

In this case, the "roles/compute.admin" role is missed and needs to be reassigned. I assume that you know the name of the service account you created.

It may help:

gcloud projects add-iam-policy-binding  project-id \
    --member serviceAccount:service-account@project-id.iam.gserviceaccount.com \
    --role  roles/compute.admin

It is described at AIM roles documentation.

EDITED: I found that is a another way to fix it:

gcloud service-management enable container.googleapis.com
-- d0bry
Source: StackOverflow