K
Q

Permissions for a pod on GKE to create disk on GCE

11/22/2019

I am spinning up a kubernetes job as a helm pre-install hook on GKE. The job uses google/cloud-sdk image and I want it to create a compute engine persistent disk.

Here is its spec:

    spec:
      restartPolicy: OnFailure
      containers:
      - name: create-db-hook-container
        image: google/cloud-sdk:latest
        command: ["gcloud"]
        args: ["compute", "disks", "create", "--size={{ .Values.volumeMounts.gceDiskSize  }}", "--zone={{ .Values.volumeMounts.gceDiskZone }}", "{{ .Values.volumeMounts.gceDiskName }}"]

However this fails with the following error:

brazen-lobster-create-pd-hook-nc2v9 create-db-hook-container ERROR: 
(gcloud.compute.disks.create) Could not fetch resource: brazen-lobster-create-pd-hook-nc2v9 
create-db-hook-container  
- Insufficient Permission: Request had insufficient authentication scopes. 
brazen-lobster-create-pd-hook-nc2v9 create-db-hook-container

Apparently I have to grant the gcloud.compute.disks.create permission.

My question is to whom I have to grant this permission?

This is a GCP IAM permission therefore I assume it cannot be granted specifically on a k8s resource (?) so it cannot be dealt within the context of k8s RBAC, right?

edit: I have created a ComputeDiskCreate custom role, that encompasses two permissions:

  • gcloud.compute.disks.create
  • gcloud.compute.disks.list

I have attached it to service account

service-2340842080428@container-engine-robot.uam.gserviceaccount.com that my IAM google cloud console has given the name

Kubernetes Engine Service Agent

but the outcome is still the same.

-- pkaramol
google-cloud-platform
google-compute-engine
google-iam
google-kubernetes-engine
kubernetes

Similar Questions

The meaning of the key field
Connection reset from the application deployed in Kubernetes
EKS cannot create persistent volume
Role-based access control authentication to Back Up and Restore a Kubernetes Cluster Heptio Ark
Istio Gateway : api.example.com doesn't work. blaapi.example.com does work. Why?

1 Answer

11/22/2019

In GKE, all nodes in a cluster are actually Compute Engine VM instances. They're assigned a service account at creation time to authenticate them to other services. You can check the service account assigned to nodes by checking the corresponding node pool.

By default, GKE nodes are assigned the Compute Engine default service account, which looks like PROJECT_NUMBER-compute@developer.gserviceaccount.com, unless you set a different one at cluster/node pool creation time.

Calls to other Google services (like the compute.disks.create endpoint in this case) will come from the node and be authenticated with the corresponding service account credentials.

You should therefore add the gcloud.compute.disks.create permission to your nodes' service account (likely PROJECT_NUMBER-compute@developer.gserviceaccount.com) in your Developer Console's IAM page.

EDIT: Prior to any authentication, the mere ability for a node to access a given Google service is defined by its access scope. This is defined at node pool's creation time and can't be edited. You'll need to create a new node pool and ensure you grant it the https://www.googleapis.com/auth/compute access scope to Compute Engine methods. You can then instruct your particular pod to run on those specific nodes.

-- LundinCast
Source: StackOverflow