New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to deploy driver to k8s cluster: error listing CSINodes: the server could not find the requested resource #420
Comments
Hi, thanks for reporting the issue. Version 0.5.0 of the CSI driver requires Kubernetes 1.14+. Can you try upgrading your cluster to 1.14? |
I upgraded the cluster version to 1.14.7-gke.10.
However, when I re-apply the storage class and PVC YAML files, its giving a different error:
I have given the below roles to the service account and the key's resource identifier is also correct. |
@MeghanaSrinath, thanks for trying this out and sorry it has not gone smoothly for you so far. Which service account did you give those roles to? The role I tried a couple different things and the only way I could reproduce the error you got was by removing the role from my compute service agent. The error was resolved when I added the role back. |
@davidz627 Thank you for looking into this issue.
This gives me the below roles, in which 'roles/cloudkms.cryptoKeyEncrypterDecrypter' role is also included:
Is there a restriction that only the compute engine default service account [service-[PROJECT_NUMBER]@compute-system.iam.gserviceaccount.com] should be used for these scenarios? Because I have used a different service account. |
@MeghanaSrinath thanks for the extra info this really helps. The service account you've created (platform@) doesn't actually need the Yes, the compute engine default service account is a special service account that will be used to encrypt/decrypt the disks as they are created or attached and thus requires the You can think of it like this - In this case the PD Driver does not ever hold onto your key or perform any encryption or decryption on your behalf so it doesn't require permissions - you just give it a key "reference" that it then passes to GCE that eventually gets your key and performs the crypto actions on your behalf. |
@davidz627 so does this means that the default service account should have the above role instead of my 'platform@' service account? I actually have a cluster which used the 'platform@' service account during provisioning and the PVCs in the cluster are also dynamically provisioned during cluster creation. Hence, I wanted to use the same service account for the KMS encryption of the PVCs. |
Thank you @davidz627 ! This worked and my PVC is now bound. |
I'm trying to set up CMEK in my cluster as per the details mentioned here:
https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek#dynamically_provision_an_encrypted
I have deployed the Compute Engine Persistent Disk CSI Driver to my cluster as per the steps mentioned in:
https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/blob/master/docs/kubernetes/development.md
Once I run the deploy-driver.sh script, at the end, I get the below output:
PFA the gcp-compute-persistent-disk-csi-driver-specs-generated.yaml file.
gcp-compute-persistent-disk-csi-driver-specs-generated.txt
I tried to change the apiVersion from scheduling.k8s.io/v1 to scheduling.k8s.io/v1beta1 and re-ran the deploy-driver.sh script. This time, the script successfully ran. Both priorityclass.scheduling.k8s.io/csi-gce-pd-controller and priorityclass.scheduling.k8s.io/csi-gce-pd-node were created.
I have then created the key/key ring and have created the below storage class:
Below is the YAML for the PVC:
However, when i apply the PVC YAML, it fails with the below error and PVC status will be at pending:
Can please someone know why is this happening and what can be done to resolve this.
Kubectl version:
The text was updated successfully, but these errors were encountered: