Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service role/resourceMetadata.writer missing #473

Closed
c4m4 opened this issue Apr 2, 2020 · 4 comments · Fixed by #485
Closed

service role/resourceMetadata.writer missing #473

c4m4 opened this issue Apr 2, 2020 · 4 comments · Fixed by #485
Assignees
@bharathkkb

Comments

@c4m4
Copy link

c4m4 commented Apr 2, 2020

the pod agent stackdriver-metadata-agent-cluster-level in kube-system namespace sometimes crash because doesn't has any permissions to write the metadata:

kubectl logs -n kube-system stackdriver-metadata-agent-cluster-level-f9544fdbd-cmxht -c metadata-agent

I0402 12:37:25.110888       1 binarylog.go:265] rpc: flushed binary log to ""
W0402 12:37:55.503160       1 kubernetes.go:118] Failed to publish resource metadata: rpc error: code = PermissionDenied desc = The caller does not have permission
I0402 12:38:24.316933       1 trace.go:898] Failed loading config; disabling tracing: open /export/hda3/trace_data/trace_config.proto: no such file or directory
I0402 12:38:25.111159       1 binarylog.go:265] rpc: flushed binary log to ""
W0402 12:38:55.902556       1 kubernetes.go:118] Failed to publish resource metadata: rpc error: code = PermissionDenied desc = The caller does not have permission
I0402 12:39:25.111479       1 binarylog.go:265] rpc: flushed binary log to ""
W0402 12:39:56.204656       1 kubernetes.go:118] Failed to publish resource metadata: rpc error: code = PermissionDenied desc = The caller does not have permission
I0402 12:40:25.113399       1 binarylog.go:265] rpc: flushed binary log to ""
W0402 12:40:56.501828       1 kubernetes.go:118] Failed to publish resource metadata: rpc error: code = PermissionDenied desc = The caller does not have permission
I0402 12:41:25.113751       1 binarylog.go:265] rpc: flushed binary log to ""
@bharathkkb
Copy link
Member

I believe this might be an issue due to lack of these particular permissions

  • logging.logEntries.create
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.create

I will try to recreate and possibly fix. Feel free to open a PR if you get around to it first.

@bharathkkb bharathkkb self-assigned this Apr 10, 2020
@bharathkkb
Copy link
Member

bharathkkb commented Apr 10, 2020
edited

I was able to recreate this issue and the fix turned out to be just adding this role roles/stackdriver.resourceMetadata.writer as recommended at the bottom of this page. I will add this as part of the service account creation.

roles/stackdriver.resourceMetadata.writer: In the Google Cloud Console, this role is named Stackdriver Resource Metadata Writer. This role permits write-only access to resource metadata, and it provides exactly the permissions needed by agents to send metadata.

@bharathkkb bharathkkb mentioned this issue Apr 10, 2020
Merged
@sephethus
Copy link

What account needs these permissions?

@c4m4
Copy link
Author

c4m4 commented Jul 13, 2020
edited

@sephethus ff17c5b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bharathkkb bharathkkb

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@sephethus @c4m4 @bharathkkb