Cloud datastore IAM credentials fail after minion replacement in Container Engine

3 views

Skip to first unread message

tnine via StackOverflow

unread,

May 10, 2017, 12:43:08 AM5/10/17

to gcd-stac...@googlegroups.com

I'm experiencing what I believe is a bug in the Google Container Engine service. I have the following scenario that reproduces it consistently.

Spin up a container engine/k8s cluster. Enable the permission to access Google Cloud datastore on creation.

Deploy a container that reads from the Cloud Datastore. It will work as expected.

Navigate to the running VM instances tab, and select the minion nodes. Delete them.

At this point, the k8s instance groups will spin up replacement minions. Attempt to access the Cloud Datastore from the container, and you will see the following error.

rpc error: code = 7 desc = Missing or insufficient permissions

I can work around the issue by creating a service account, using it within a secret, and mounting this secret within my containers. However, this seems to be a bug with the IAM permissions not properly propagating to the Instance Group.

Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/43883690/cloud-datastore-iam-credentials-fail-after-minion-replacement-in-container-engin

Reply all

Reply to author

Forward

0 new messages