Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compute.backendServices.list to the list of permissions required for workload identity sa #138

Open
arya-harness opened this issue Oct 11, 2024 · 5 comments
Open

Add compute.backendServices.list to the list of permissions required for workload identity sa #138

arya-harness opened this issue Oct 11, 2024 · 5 comments

Comments

@arya-harness
Copy link

Hi Team

I am getting a

ERROR	Reconciler error	{"controller": "service", "controllerGroup": "", "controllerKind": "Service", "Service": {"name":"******","namespace":"*******"}, "namespace": "******", "name": "********r", "reconcileID": "cf4d3868-3fea-4e22-9c63-939feac01985", "error": "googleapi: Error 403: Required 'compute.backendServices.list' permission for 'projects/*********', forbidden"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:226

Seems to be benign here mostly but unsure if it is actually needed.
Version: v1.0.0

A suggestion from my end would be to update the script here if its needed.

Thanks
@rosmo
Copy link
Collaborator

rosmo commented Oct 12, 2024
edited
Loading

You're right, that script is severely outdated - I need to update it, but I would strongly recommend using another installation method than manual (even a simple Terraform set up should be quicker than manual installation).

But I am not so sure this one is coming from Autoneg at all - it could be part of NEG reconciler from GKE.

@arya-harness
Copy link
Author

Could be, havent found the relevant change in NEG side yet.
On a seperate note or slightly related, if we change the annotation of the service to a different neg name, AutoNEG does create the new NEG, but it does not delete the older one.
It only does deletion, when the service is deleted(probably due to the finalizer trigger).
I wonder if it is the intended behaviour or there is a lacking permission on AutoNEG side to delete it on the fly?

@rosmo
Copy link
Collaborator

rosmo commented Oct 28, 2024
edited
Loading

Autoneg does not create or change NEGs, that's handled through the cloud.google.com/neg annotation and another controller. Autoneg just adds/updates/removes the created NEGs to/from backend services.

@arya-harness
Copy link
Author

My apologies, I meant that flow itself. AutoNEG is not deattaching the NEG from the GCP backend when the name of NEG is changed.

@rosmo
Copy link
Collaborator

rosmo commented Nov 14, 2024

Maybe you could outline the steps that have to happen for you to hit this bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rosmo @arya-harness