[BUG]: sm: During kpt live apply - 4 CRDs are missing from the CC GKE cluster - NamingPolicy, DataLocation, LimitEgressTraffic, CloudMarketPlaceConfig #103

fmichaelobrien · 2022-09-09T12:57:15Z

Effort: sm
Priority: high
type BUG

Use case: LZ deploy section 5 - kpt
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#usage

part of #33

see setters.yaml in #99

We need to run from the parent dir

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit/landing-zone (landing-zone-controller-1z583)$ cd ..
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kpt live init landing-zone --namespace config-control
initializing Kptfile inventory info (namespace: config-control)...success

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kpt live apply landing-zone --reconcile-timeout=2m --output=table
Error: 4 resource types could not be found in the cluster or as CRDs among the applied resources.

Resource types:
constraints.gatekeeper.sh/v1beta1, Kind=NamingPolicy
constraints.gatekeeper.sh/v1beta1, Kind=DataLocation
constraints.gatekeeper.sh/v1beta1, Kind=LimitEgressTraffic
constraints.gatekeeper.sh/v1beta1, Kind=CloudMarketPlaceConfig

The text was updated successfully, but these errors were encountered:

cartyc · 2022-09-09T13:13:49Z

Easiest would be to add the policy directory to the .krmignore file. This happens as a result of the template CRDs not being installed in the Config Controller instance first. The issue goes away when using GitOps via git or OCI as both of those will continually retry until it's there. This is a limitation of some of the underlying packages used in kpt and kubectl. More details on the why here kubernetes-sigs/cli-utils#444 .

fmichaelobrien · 2022-09-09T13:49:30Z

nice, rerunning with "Easiest would be to add the policy directory to the .krmignore file"
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone/.krmignore

add to faq

obriensystems · 2022-09-09T18:43:48Z

Full fix is .krmignore filter

cicd-examples/
environments/common/guardrails-policies
environments/common/general-policies/naming-rules

results

We progressed to the LZ projects coming up - i will document an additional DOC / FEATURE on pre-increasing the billing/project quota on new accounts

kubectl describe gcpservice nonprod-nethost-service-compute

Warning  UpdateFailed  48s  service-controller  Update call failed: error applying desired state: summary: Request Enable Project Service "compute.googleapis.com" for project "net-host-prj-prod-gz1" returned error: Batch request and retried single request "Enable Project Service \"[compute.googleapis.com](http://compute.googleapis.com/)\" for project \"net-host-prj-prod-gz1\"" both failed. Final error: failed to send enable services request: googleapi: Error 400: Billing account for project '698859936700' is not found. Billing must be enabled for activation of service(s) '[compute.googleapis.com](http://compute.googleapis.com/),[compute.googleapis.com](http://compute.googleapis.com/),[compute.googleapis.com](http://compute.googleapis.com/)' to proceed.
Help Token: AfeSHlKLc1An3tXgOyaI-lDp9CqpV_4etyoQCth2uK4Eo-n52_DaBYZtUZ4BxKjGiIF3QgNqj9r8lIuKg3HntFWwKTc-FrNJFaTHYjVbwpZ-hxRZ
Details:
[
  {
    "@type": "[type.googleapis.com/google.rpc.PreconditionFailure](http://type.googleapis.com/google.rpc.PreconditionFailure)",
    "violations": [
      {
        "subject": "?error_code=390001\u0026project=698859936700\u0026services=[compute.googleapis.com](http://compute.googleapis.com/)\u0026services=[compute.googleapis.com](http://compute.googleapis.com/)\u0026services=[compute.googleapis.com](http://compute.googleapis.com/)",
        "type": "[googleapis.com/billing-enabled](http://googleapis.com/billing-enabled)"
      }
    ]
  },
  {
    "@type": "[type.googleapis.com/google.rpc.ErrorInfo](http://type.googleapis.com/google.rpc.ErrorInfo)",
    "domain": "[serviceusage.googleapis.com/billing-enabled](http://serviceusage.googleapis.com/billing-enabled)",
    "metadata": {
      "project": "698859936700",
      "services": "[compute.googleapis.com](http://compute.googleapis.com/),[compute.googleapis.com](http://compute.googleapis.com/),[compute.googleapis.com](http://compute.googleapis.com/)"
    },
    "reason": "UREQ_PROJECT_BILLING_NOT_FOUND"
  }
]
, failedPrecondition

obriensystems · 2022-09-10T14:59:24Z

After bringing up a new cluster on obrienlabs.dev in #94 (comment) for #104

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone

michael@cloudshell:~ (lz-20220910-oldev)$ cd github/GoogleCloudPlatform/p
michael@cloudshell:~/github/GoogleCloudPlatform (lz-20220910-oldev)$ mkdir 20220909-103
michael@cloudshell:~/github/GoogleCloudPlatform (lz-20220910-oldev)$ cd 20220909-103/
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
Cloning into 'pubsec-declarative-toolkit'...
Resolving deltas: 100% (2585/2585), done.

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ cd pubsec-declarative-toolkit/
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/pubsec-declarative-toolkit (lz-20220910-oldev)$ git checkout fmichaelobrien-patch-103
Branch 'fmichaelobrien-patch-103' set up to track remote branch 'fmichaelobrien-patch-103' from 'origin'.
Switched to a new branch 'fmichaelobrien-patch-103'

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/pubsec-declarative-toolkit (lz-20220910-oldev)$ cd ..
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/landing-zone landing-zone
Package "landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 + 6596f71...9750a11 main       -> origin/main  (forced update)
Adding package "solutions/landing-zone".

Fetched 1 package(s).


copy the change
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/pubsec-declarative-toolkit (lz-20220910-oldev)$ cd ..
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ cat landing-zone/.krmignore
cicd-examples/
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ cp pubsec-declarative-toolkit/solutions/landing-zone/.krmignore landing-zone/
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ cat landing-zone/.krmignore 
cicd-examples/
environments/common/guardrails-policies
environments/common/general-policies/naming-rules
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$

fill in setters.yaml
use 
https://console.cloud.google.com/home/dashboard?project=landing-zone-controller-1z583

  billing-id: "019283-6F1AB5-7AD576"
  org-id: "583675367868"
  management-project-id: landing-zone-controller-1z583
  management-project-number: "453474601356"
  net-host-prj-nonprod-id: net-host-prj-nonprod-old1
  net-host-prj-prod-id: net-host-prj-prod-old1
  net-perimeter-prj-common-id: net-perimeter-prj-common-old1
  audit-prj-id: audit-prj-id-old1
  guardrails-project-id: guardrails-project-old1
  audit-viewer: postmaster@obrienlabs.dev
  log-writer: postmaster@obrienlabs.dev
  log-reader: postmaster@obrienlabs.dev
  organization-viewer: postmaster@obrienlabs.dev

changing the docs to cd in the folder

#111


ichael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt fn render
Error: No Kptfile found at "/home/michael/github/GoogleCloudPlatform/20220909-103".
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ cd landing-zone/
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/landing-zone (lz-20220910-oldev)$ kpt fn render

Package "landing-zone/environments/common/guardrails-policies":
Package "landing-zone/environments/common":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 3.1s
  Results:
    [info]: namespace "common" updated to "config-control", 23 value(s) changed

Package "landing-zone/environments/nonprod":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms
  Results:
    [info]: namespace "nonprod" updated to "config-control", 7 value(s) changed

Package "landing-zone/environments/prod":
[RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0"
[FAIL] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 700ms
  Stderr:
    "docker: Error response from daemon: Get \"https://gcr.io/v2/\": dial tcp [2607:f8b0:400c:c03::52]:443: connect: cannot assign requested address."
    "See 'docker run --help'."
  Exit code: 125

run 2nd time

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/landing-zone (lz-20220910-oldev)$ kpt fn render
Package "landing-zone/environments/common/guardrails-policies":
Package "landing-zone/environments/common":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 500ms
  Results:
    [info]: namespace "common" updated to "config-control", 23 value(s) changed

Package "landing-zone/environments/nonprod":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms
  Results:
    [info]: namespace "nonprod" updated to "config-control", 7 value(s) changed

Package "landing-zone/environments/prod":
[RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0"
[PASS] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 3.2s
  Results:
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-compute: generated service
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-logging: generated service
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms
  Results:
    [info]: namespace "prod" updated to "config-control", 4 value(s) changed

Package "landing-zone":
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 2s
  Results:
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868"
    [info] spec.projectID: set field value to "net-perimeter-prj-common-old1"
    [info] spec.parentRef.external: set field value to "583675367868"
    ...(87 line(s) truncated, use '--truncate-output=false' to disable)
[RUNNING] "gcr.io/kpt-fn/generate-folders:v0.1.1"
[FAIL] "gcr.io/kpt-fn/generate-folders:v0.1.1" in 700ms
  Stderr:
    "docker: Error response from daemon: Get \"https://gcr.io/v2/\": dial tcp [2607:f8b0:400c:c04::52]:443: connect: cannot assign requested address."
    "See 'docker run --help'."
  Exit code: 125


cluster still warming up after 1 hour idle time (or increase the vCores ram past 2/3

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103/landing-zone (lz-20220910-oldev)$ kpt fn render
Package "landing-zone/environments/common/guardrails-policies":
Package "landing-zone/environments/common":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 500ms
  Results:
    [info]: namespace "common" updated to "config-control", 23 value(s) changed

Package "landing-zone/environments/nonprod":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms
  Results:
    [info]: namespace "nonprod" updated to "config-control", 7 value(s) changed

Package "landing-zone/environments/prod":
[RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0"
[PASS] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 1.5s
  Results:
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-compute: generated service
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-logging: generated service
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms
  Results:
    [info]: namespace "prod" updated to "config-control", 4 value(s) changed

Package "landing-zone":
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 600ms
  Results:
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868"
    [info] spec.projectID: set field value to "net-perimeter-prj-common-old1"
    [info] spec.parentRef.external: set field value to "583675367868"
    ...(87 line(s) truncated, use '--truncate-output=false' to disable)
[RUNNING] "gcr.io/kpt-fn/generate-folders:v0.1.1"
[PASS] "gcr.io/kpt-fn/generate-folders:v0.1.1" in 5.4s
[RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0"
[PASS] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 1.8s
  Results:
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-compute: generated service
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-dns: generated service
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-logging: generated service
    [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-compute: recreated service
    ...(3 line(s) truncated, use '--truncate-output=false' to disable)
[RUNNING] "gcr.io/kpt-fn/gatekeeper:v0.2.1"
[PASS] "gcr.io/kpt-fn/gatekeeper:v0.2.1" in 3.5s
[RUNNING] "gcr.io/kpt-fn/kubeval:v0.3.0"
[PASS] "gcr.io/kpt-fn/kubeval:v0.3.0" in 22.5s

Successfully executed 9 function(s) in 5 package(s).

ok now

cd ..

kpt live init landing-zone --namespace config-control
kpt live apply landing-zone --reconcile-timeout=2m --output=table

config-con  StorageBucket/log-bucket-audit-prj-id-ol  Unchanged     NotFound                <None>                                    -       Resource not found

1 resources failed


retry
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone --reconcile-timeout=2m
installing inventory ResourceGroup CRD.
namespace/config-control apply failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
namespace/config-control reconcile skipped
configmap/setters unchanged
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels unchanged
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel unchanged
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels unchanged
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy unchanged
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet unchanged
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr unchanged
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu unchanged
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr unchanged
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp unchanged
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny unchanged
computefirewall.compute.cnrm.cloud.google.com/deny-ssh-ingress unchanged
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny unchanged
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter unchanged
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter unchanged
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc unchanged
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter unchanged
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc unchanged
computenetwork.compute.cnrm.cloud.google.com/public-perimeter unchanged
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta unchanged
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod unchanged
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod unchanged
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample unchanged
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host unchanged
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet unchanged
computesubnetwork.compute.cnrm.cloud.google.com/management unchanged
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet unchanged
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet unchanged
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet unchanged
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet unchanged
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer unchanged
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member unchanged
iampolicymember.iam.cnrm.cloud.google.com/log-reader unchanged
iampolicymember.iam.cnrm.cloud.google.com/log-writer unchanged
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer unchanged
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account unchanged
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink unchanged
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink unchanged
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security unchanged
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit unchanged
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security unchanged
folder.resourcemanager.cnrm.cloud.google.com/automation unchanged
folder.resourcemanager.cnrm.cloud.google.com/infrastructure unchanged
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking unchanged
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking unchanged
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking unchanged
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure unchanged
folder.resourcemanager.cnrm.cloud.google.com/sandbox unchanged
folder.resourcemanager.cnrm.cloud.google.com/shared-services unchanged
folder.resourcemanager.cnrm.cloud.google.com/workloads unchanged
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev unchanged
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod unchanged
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat unchanged
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-old1 unchanged
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-old1 unchanged
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-old1 unchanged
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-old1 unchanged
project.resourcemanager.cnrm.cloud.google.com/net-perimeter-prj-common-old1 unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6 unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access unchanged
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward unchanged
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute unchanged
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging unchanged
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute unchanged
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns unchanged
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging unchanged
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute unchanged
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging unchanged
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-old1 unchanged
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-old1 unchanged
configmap/setters reconcile skipped
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels reconcile skipped
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel reconcile skipped
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels reconcile skipped
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/deny-ssh-ingress reconcile skipped
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc reconcile skipped
computenetwork.compute.cnrm.cloud.google.com/public-perimeter reconcile skipped
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta reconcile skipped
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod reconcile skipped
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod reconcile skipped
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample reconcile skipped
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/management reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet reconcile skipped
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/log-reader reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/log-writer reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer reconcile skipped
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account reconcile skipped
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink reconcile skipped
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/automation reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/infrastructure reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/sandbox reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/shared-services reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/workloads reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod reconcile skipped
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat reconcile skipped
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-old1 reconcile skipped
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-old1 reconcile skipped
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-old1 reconcile skipped
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-old1 reconcile skipped
project.resourcemanager.cnrm.cloud.google.com/net-perimeter-prj-common-old1 reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6 reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access reconcile skipped
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward reconcile skipped
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute reconcile skipped
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging reconcile skipped
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute reconcile skipped
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns reconcile skipped
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging reconcile skipped
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute reconcile skipped
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging reconcile skipped
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-old1 reconcile skipped
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-old1 reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/audit-sink-writer unchanged
iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer unchanged
90 resource(s) applied. 0 created, 89 unchanged, 0 configured, 1 failed
iampolicymember.iam.cnrm.cloud.google.com/audit-sink-writer reconcile skipped
iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer reconcile skipped
0 resource(s) reconciled, 90 skipped, 0 failed to reconcile, 0 timed out
1 resources failed
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kubectl get gcp
No resources found in config-control namespace.

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kubectl get po -n cnrm-system
NAME                                             READY   STATUS    RESTARTS   AGE
cnrm-controller-manager-cce97jsgkgtddmb43tcg-0   2/2     Running   0          91m
cnrm-deletiondefender-0                          1/1     Running   0          91m
cnrm-resource-stats-recorder-7d49746fc6-ms5gq    2/2     Running   0          91m
cnrm-webhook-manager-85f4848bc4-rglw2            1/1     Running   0          91m
cnrm-webhook-manager-85f4848bc4-z4p6w            1/1     Running   0          91m


michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kubectl logs -n cnrm-system cnrm-controller-manager-cce97jsgkgtddmb43tcg-0

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$  kubectl get gcpservice
No resources found in config-control namespace.

nothing deploying

issue is 
installing inventory ResourceGroup CRD.
namespace/config-control apply failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
namespace/config-control reconcile skipped
configmap/setters unchanged

using --inventory-policy adopt via kptdev/kpt#1724
works well

before

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone
installing inventory ResourceGroup CRD.
namespace/config-control apply failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
namespace/config-control reconcile skipped
configmap/setters unchanged
..
iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer reconcile skipped
0 resource(s) reconciled, 90 skipped, 0 failed to reconcile, 0 timed out
1 resources failed


after
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone --inventory-policy adopt
installing inventory ResourceGroup CRD.
namespace/config-control configured
namespace/config-control reconcile pending
namespace/config-control reconciled
configmap/setters created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels created
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy created
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet created

michael@cloudshell:~ (magellan-01)$ kubectl get gcp
NAME                                                                                                 AGE     READY   STATUS               STATUS AGE
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels        9m29s   False   DependencyNotReady   9m28s
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel   9m28s   False   DependencyNotReady   9m28s
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels          9m28s   False   DependencyNotReady   9m27s

NAME                                                                                          AGE     READY   STATUS         STATUS AGE
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy   9m27s   False   UpdateFailed   9m27s

NAME                                                                                           AGE     READY   STATUS         STATUS AGE
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample   9m25s   False   UpdateFailed   9m25s
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host              9m25s   False   UpdateFailed   9m24s

NAME                                                                         AGE     READY   STATUS               STATUS AGE
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet   9m25s   False   DependencyNotReady   9m25s
computesubnetwork.compute.cnrm.cloud.google.com/management                   9m25s   False   DependencyNotReady   9m25s
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet     9m25s   False   DependencyNotReady   9m25s
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet        9m25s   False   DependencyNotReady   9m25s
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet        9m25s   False   DependencyNotReady   9m25s
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet      9m24s   False   DependencyNotReady   9m24s

NAME                                                                        AGE     READY   STATUS               STATUS AGE
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet         9m31s   False   DependencyNotReady   9m31s
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr      9m31s   False   DependencyNotReady   9m31s
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu      9m30s   False   DependencyNotReady   9m30s
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr          9m30s   False   DependencyNotReady   9m30s
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp            9m30s   False   DependencyNotReady   9m30s
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny   9m30s   False   DependencyNotReady   9m30s
computefirewall.compute.cnrm.cloud.google.com/deny-ssh-ingress              9m29s   False   DependencyNotReady   9m29s
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny    9m29s   False   DependencyNotReady   9m29s

NAME                                                                 AGE     READY   STATUS               STATUS AGE
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod   9m27s   False   DependencyNotReady   9m27s
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod      9m27s   False   DependencyNotReady   9m27s

NAME                                                                 AGE     READY   STATUS         STATUS AGE
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter     9m30s   False   UpdateFailed   9m30s
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter   9m30s   False   UpdateFailed   9m29s
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc       9m29s   False   UpdateFailed   9m29s
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter          9m29s   False   UpdateFailed   9m29s
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc          9m29s   False   UpdateFailed   9m29s
computenetwork.compute.cnrm.cloud.google.com/public-perimeter        9m29s   False   UpdateFailed   9m29s

NAME                                                                        AGE     READY   STATUS         STATUS AGE
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta   9m30s   False   UpdateFailed   9m29s

NAME                                                                  AGE     READY   STATUS         STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account   9m30s   False   UpdateFailed   9m30s

NAME                                                            AGE     READY   STATUS               STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer          9m31s   True    UpToDate             8m53s
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member    9m31s   False   DependencyNotReady   9m31s
iampolicymember.iam.cnrm.cloud.google.com/log-reader            9m31s   True    UpToDate             8m48s
iampolicymember.iam.cnrm.cloud.google.com/log-writer            9m30s   True    UpToDate             8m42s
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer   9m30s   True    UpToDate             9m25s

NAME                                                             AGE     READY   STATUS               STATUS AGE
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink   9m31s   False   DependencyNotReady   9m31s
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink    9m31s   False   DependencyNotReady   9m31s

NAME                                                                                       AGE     READY   STATUS     STATUS AGE
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security                            9m33s   True    UpToDate   9m22s
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit                      9m33s   True    UpToDate   9m7s
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security                   9m33s   True    UpToDate   9m6s
folder.resourcemanager.cnrm.cloud.google.com/automation                                    9m33s   True    UpToDate   9m21s
folder.resourcemanager.cnrm.cloud.google.com/infrastructure                                9m32s   True    UpToDate   9m21s
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking                     9m32s   True    UpToDate   7m55s
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking   9m32s   True    UpToDate   7m14s
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking      9m32s   True    UpToDate   7m14s
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure           9m32s   True    UpToDate   7m10s
folder.resourcemanager.cnrm.cloud.google.com/sandbox                                       9m31s   True    UpToDate   9m20s
folder.resourcemanager.cnrm.cloud.google.com/shared-services                               9m31s   True    UpToDate   9m20s
folder.resourcemanager.cnrm.cloud.google.com/workloads                                     9m31s   True    UpToDate   9m19s
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev                                 9m31s   True    UpToDate   7m10s
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod                                9m31s   True    UpToDate   8m21s
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat                                 9m30s   True    UpToDate   7m54s

NAME                                                                                               AGE     READY   STATUS         STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains                9m29s   True    UpToDate       9m28s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain           9m29s   True    UpToDate       9m28s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access         9m29s   True    UpToDate       9m28s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization          9m28s   True    UpToDate       9m28s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access             9m28s   True    UpToDate       9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation    9m28s   True    UpToDate       9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6              9m28s   True    UpToDate       9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm                    9m28s   True    UpToDate       9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images                 9m27s   True    UpToDate       9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types   9m27s   False   UpdateFailed   9m27s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login                      9m27s   True    UpToDate       9m26s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations            9m27s   False   UpdateFailed   9m26s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip                 9m26s   True    UpToDate       9m26s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access            9m26s   False   UpdateFailed   9m26s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal              9m26s   True    UpToDate       9m25s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering                   9m26s   True    UpToDate       9m25s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation          9m26s   True    UpToDate       9m24s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention       9m25s   True    UpToDate       9m22s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access            9m25s   True    UpToDate       9m24s
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward                      9m25s   True    UpToDate       9m24s

NAME                                                                          AGE     READY   STATUS         STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-old1               9m31s   False   UpdateFailed   9m31s
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-old1         9m31s   False   UpdateFailed   9m31s
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-old1       9m31s   False   UpdateFailed   9m31s
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-old1          9m30s   False   UpdateFailed   9m30s
project.resourcemanager.cnrm.cloud.google.com/net-perimeter-prj-common-old1   9m30s   False   UpdateFailed   9m30s

NAME                                                                         AGE     READY   STATUS         STATUS AGE
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute    9m26s   False   UpdateFailed   9m22s
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging    9m26s   False   UpdateFailed   9m22s
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute   9m25s   False   UpdateFailed   9m22s
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns       9m25s   False   UpdateFailed   9m22s
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging   9m25s   False   UpdateFailed   9m21s
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute      9m25s   False   UpdateFailed   9m21s
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging      9m24s   False   UpdateFailed   9m21s

NAME                                                                       AGE     READY   STATUS         STATUS AGE
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-old1        9m25s   False   UpdateFailed   9m25s
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-old1   9m25s   False   UpdateFailed   9m25s


michael@cloudshell:~ (magellan-01)$  kubectl get gcpservice
NAME                              AGE   READY   STATUS         STATUS AGE
common-nethost-service-compute    34m   False   UpdateFailed   34m
common-nethost-service-logging    34m   False   UpdateFailed   34m
nonprod-nethost-service-compute   34m   False   UpdateFailed   34m
nonprod-nethost-service-dns       34m   False   UpdateFailed   34m
nonprod-nethost-service-logging   34m   False   UpdateFailed   34m
prod-nethost-service-compute      34m   False   UpdateFailed   34m
prod-nethost-service-logging      34m   False   UpdateFailed   34m

fmichaelobrien · 2022-09-12T13:35:10Z

I agree, move to the readme or use something more granular than the entire folder.
I think we need more reproduction and testing and root cause before blocking off these 2 folders - reinvestigating

and your
cartyc commented 1 hour ago
An alternate temp fix would be to just add constraint.yaml to the .krmignore for the first run so the CRD is installed and then remove the constraint.yaml ref from .krmignore on the second pass which will install the constraint once the CRD is installed.

cartyc · 2022-09-12T14:49:06Z

Again there is not much we can do to remediate this in the kpt deployments outside of workflow changes until changes are made in the upstream tools.

fmichaelobrien · 2022-09-12T14:55:03Z

Understood, I am attempting to document and/or workaround getting the landing-zone solution up before starting to modify it

cartyc · 2022-09-12T15:19:47Z

Closing this issue and moving discussion to #114 .

fmichaelobrien added the developer-experience label Sep 9, 2022

fmichaelobrien self-assigned this Sep 9, 2022

fmichaelobrien mentioned this issue Sep 9, 2022

Scrum/Sprint: prioritized work items #100

Closed

cartyc added documentation Improvements or additions to documentation policy Landing Zone labels Sep 9, 2022

fmichaelobrien added the add-to-faq label Sep 9, 2022

fmichaelobrien mentioned this issue Sep 9, 2022

developer quickstart session documentation #33

Closed

obriensystems mentioned this issue Sep 9, 2022

Add logging role binding and region/org_id instructions during logging storage bucket update - pre CC creation #104

Closed

fmichaelobrien added bug Something isn't working and removed documentation Improvements or additions to documentation Landing Zone developer-experience add-to-faq labels Sep 9, 2022

fmichaelobrien added a commit that referenced this issue Sep 9, 2022

#103 - workaround for missing cluster policy CRDs

23f4a07

obriensystems mentioned this issue Sep 10, 2022

As an arete user I need to delete the .arete cache when recreating the CC cluster after a previous delete - to kick in CC creation and avoid a KCC name collision #94

Closed

This was referenced Sep 10, 2022

[BUG]: selective failure applying to the cc via kpt live apply - for those that fail add --inventory-policy adopt #112

Open

#103 - workaround for missing cluster policy CRDs #107

Closed

fmichaelobrien mentioned this issue Sep 11, 2022

[ENHANCEMENT] full workaround for #103 where we .krmignore the policy folders that block the landing-zone solution #114

Open

cartyc closed this as completed Sep 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG]: sm: During kpt live apply - 4 CRDs are missing from the CC GKE cluster - NamingPolicy, DataLocation, LimitEgressTraffic, CloudMarketPlaceConfig #103

[BUG]: sm: During kpt live apply - 4 CRDs are missing from the CC GKE cluster - NamingPolicy, DataLocation, LimitEgressTraffic, CloudMarketPlaceConfig #103

fmichaelobrien commented Sep 9, 2022 •

edited

Loading

cartyc commented Sep 9, 2022

fmichaelobrien commented Sep 9, 2022 •

edited

Loading

obriensystems commented Sep 9, 2022 •

edited by fmichaelobrien

Loading

obriensystems commented Sep 10, 2022 •

edited

Loading

fmichaelobrien commented Sep 12, 2022

cartyc commented Sep 12, 2022

fmichaelobrien commented Sep 12, 2022

cartyc commented Sep 12, 2022

[BUG]: sm: During kpt live apply - 4 CRDs are missing from the CC GKE cluster - NamingPolicy, DataLocation, LimitEgressTraffic, CloudMarketPlaceConfig #103

[BUG]: sm: During kpt live apply - 4 CRDs are missing from the CC GKE cluster - NamingPolicy, DataLocation, LimitEgressTraffic, CloudMarketPlaceConfig #103

Comments

fmichaelobrien commented Sep 9, 2022 • edited Loading

cartyc commented Sep 9, 2022

fmichaelobrien commented Sep 9, 2022 • edited Loading

obriensystems commented Sep 9, 2022 • edited by fmichaelobrien Loading

obriensystems commented Sep 10, 2022 • edited Loading

fmichaelobrien commented Sep 12, 2022

cartyc commented Sep 12, 2022

fmichaelobrien commented Sep 12, 2022

cartyc commented Sep 12, 2022

fmichaelobrien commented Sep 9, 2022 •

edited

Loading

fmichaelobrien commented Sep 9, 2022 •

edited

Loading

obriensystems commented Sep 9, 2022 •

edited by fmichaelobrien

Loading

obriensystems commented Sep 10, 2022 •

edited

Loading