Regression: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env #604

obriensystems · 2023-10-24T02:46:59Z

as part of #446
update: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ kubectl get gcp -n networking 
NAME                                                           AGE   READY   STATUS         STATUS AGE
computedisk.compute.cnrm.cloud.google.com/hub-mgmt-data-disk   46m   False   UpdateFailed   46m

NAME                                                                       AGE    READY   STATUS               STATUS AGE
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-primary-instance     176m   False   DependencyNotFound   176m
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-secondary-instance   176m   False   DependencyNotFound   176m

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ kubectl describe computeinstance.compute.cnrm.cloud.google.com/hub-fgt-primary-instance -n networking

  Warning  DependencyNotFound  3m10s (x18 over 177m)  computeinstance-controller  reference ComputeDisk networking/hub-fgt-primary-log-disk is not found

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ kubectl describe computeinstance.compute.cnrm.cloud.google.com/hub-fgt-secondary-instance -n networking

  Warning  DependencyNotFound  6m58s (x20 over 179m)  computeinstance-controller  reference ComputeDisk networking/hub-fgt-secondary-log-disk is not found

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ kubectl describe computedisk.compute.cnrm.cloud.google.com/hub-mgmt-data-disk  -n networking

  Warning  UpdateFailed  50s (x30 over 49m)  computedisk-controller  Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing ComputeDisk "projects/xxdmu-admin1-hub-oi11/zones/northamerica-northeast1-a/disks/mgmt-data-disk": googleapi: Error 403: Required 'compute.disks.get' permission for 'projects/xxdmu-admin1-hub-oi11/zones/northamerica-northeast1-a/disks/mgmt-data-disk', forbidden

checking permissions

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ gcloud projects get-iam-policy xxdmu-admin1-hub-oi11
bindings:
- members:
  - serviceAccount:service-851414103698@compute-system.iam.gserviceaccount.com
  role: roles/compute.serviceAgent
- members:
  - serviceAccount:851414103698-compute@developer.gserviceaccount.com
  - serviceAccount:851414103698@cloudservices.gserviceaccount.com
  role: roles/editor
- members:
  - serviceAccount:projects-sa@kcc-oi-3552.iam.gserviceaccount.com
  role: roles/owner


adjusted project.yaml back to (from bottom 3 commented)
    cnrm.cloud.google.com/auto-create-network: "false"
    #config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/hierarchy/Folder/services-infrastructure
    #internal.kpt.dev/upstream-identifier: 'resourcemanager.cnrm.cloud.google.com|Project|projects|hub-project-id'
    cnrm.cloud.google.com/blueprint: 'kpt-pkg-fn-live'

add to networking-sa 
roles/compute.instanceAdmin

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/compute.instanceAdmin --condition=None --quiet  > /dev/null 1>&1
Updated IAM policy for organization [459065442144].

working
michael@cloudshell:~/kcc-oi/kpt (kcc-oi-3552)$ kubectl get gcp -n networking 
NAME                                                           AGE   READY   STATUS     STATUS AGE
computedisk.compute.cnrm.cloud.google.com/hub-mgmt-data-disk   61m   True    UpToDate   67s

NAME                                                                       AGE     READY   STATUS               STATUS AGE
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-primary-instance     3h12m   False   DependencyNotFound   3h12m
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-secondary-instance   3h12m   False   DependencyNotFound   3h12m

verified
  Warning  UpdateFailed  4m47s (x35 over 63m)  computedisk-controller  Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing ComputeDisk "projects/xxdmu-admin1-hub-oi11/zones/northamerica-northeast1-a/disks/mgmt-data-disk": googleapi: Error 403: Required 'compute.disks.get' permission for 'projects/xxdmu-admin1-hub-oi11/zones/northamerica-northeast1-a/disks/mgmt-data-disk', forbidden
  Normal   Updating      2m46s                 computedisk-controller  Update in progress
  Normal   UpToDate      2m33s                 computedisk-controller  The resource is up to date

The text was updated successfully, but these errors were encountered:

fmichaelobrien self-assigned this Oct 24, 2023

fmichaelobrien added automation fortinet labels Oct 24, 2023

obriensystems mentioned this issue Oct 24, 2023

Example 258 fortigate perimeter package deploy procedure/verify for core lz unmanaged client #446

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Regression: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env #604

Regression: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env #604

obriensystems commented Oct 24, 2023

Regression: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env #604

Regression: roles/compute.instanceAdmin required on networking-sa to fix hub-mgmt-data-disk creation permissions error in hub-env #604

Comments

obriensystems commented Oct 24, 2023