Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38152

[GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded

XMLWordPrintable

    • Important
    • None
    • Installer Sprint 257, Installer (PB) Sprint 258
    • 2
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded, by telling error "error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc'"

      Version-Release number of selected component (if applicable):

          4.17.0-0.nightly-multi-2024-08-07-221959

      How reproducible:

          Always

      Steps to Reproduce:

      1. "create install-config", then insert the interested settings (see [1])
      2. "create cluster" (see [2])
      

      Actual results:

          Installation failed, because cluster operator ingress degraded (see [2] and [3]). 
      
      $ oc get co ingress
      NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
      ingress             False       True          True       113m    The "default" ingress controller reports Available=False: IngressControllerUnavailable: One or more status conditions indicate unavailable: LoadBalancerReady=False (SyncLoadBalancerFailed: The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc', forbidden...
      $ 
      
      In fact the mentioned k8s firewall-rule doesn't exist in the host project (see [4]), and, the given service account does have enough permissions (see [6]).
      

      Expected results:

          Installation succeeds, and all cluster operators are healthy. 

      Additional info:

          

              bfournie@redhat.com Robert Fournier
              rhn-support-jiwei Jianli Wei
              Jianli Wei Jianli Wei
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: