Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45404

[GCP XPN] "destroy cluster" stucks due to "failed to fetch project IAM policy" in the host project

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • Proposed
    • None
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          The testing scenario is, IPI installation into shared VPC, with pre-configured firewall-rules, and the dns private zone, and the service account for control-plane nodes. According to the OCP doc "Required GCP permissions for shared VPC installation" (https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/installing_on_gcp/installing-gcp-account#minimum-required-permissions-ipi-gcp-xpn_installing-gcp-account), as the control-plane service account had been specified, the permission "resourcemanager.projects.getIamPolicy" in the host project is not necessary. But, during "destroy cluster", the ".openshift_install.log" keeps telling below message which seems leading to "destroy cluster" hung.

time="2024-12-03T13:33:57+08:00" level=debug msg="Service accounts: failed to fetch project IAM policy in project openshift-qe-shared-vpc: googleapi: Error 403: Permission 'resourcemanager.projects.getIamPolicy' denied on resource '//cloudresourcemanager.googleapis.com/projects/openshift-qe-shared-vpc' (or it may not exist).\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"cloudresourcemanager.googleapis.com\",\n    \"metadata\": {\n      \"permission\": \"resourcemanager.projects.getIamPolicy\",\n      \"resource\": \"projects/openshift-qe-shared-vpc\"\n    },\n    \"reason\": \"IAM_PERMISSION_DENIED\"\n  }\n]\n, forbidden"

      Version-Release number of selected component (if applicable):

          4.18.0-0.nightly-multi-2024-12-02-195414

      How reproducible:

          Always

      Steps to Reproduce:

      0. supposing correct firewall-rules had been pre-configured within the shared VPC
1. activate the service account for the testing (see [1])
2. "create install-config", and then insert the interested settings (see [2])
3. pre-configure a dns private zone, binding to the shared VPC, and dns name matching the cluster's "<cluster name>.<base domain>." (see [3])
4. "create cluster", and make sure it succeeds (see [4])
5. "destroy cluster" (see [5])

      Actual results:

          "destroy cluster" stucks endlessly.

      Expected results:

          "destroy cluster" should finish within several minutes, along with all cluster resources getting deleted.

      Additional info:

          The .openshift_install.log is available at https://drive.google.com/file/d/1mpd474NmUkB9uB01y8ZIpWeJxmaz-zNO/view?usp=drive_link

              rh-ee-bbarbach Brent Barbachem
              rhn-support-jiwei Jianli Wei
              None
              None
              Jianli Wei Jianli Wei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: