-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15.z, 4.17.z, 4.16.z, 4.18.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
Done
-
Release Note Not Required
-
N/A
-
None
-
None
-
None
-
None
This is a clone of issue OCPBUGS-55083. The following is the description of the original issue:
—
Description of problem:
The error:
Error 403: Required 'compute.images.useReadOnly' permission
Is experienced whenever trying to create a machine with at least one additionalDisk referencing a project image, for example look at the following MachineSet:
Version-Release number of selected component (if applicable):
The issue can be experienced in OCP 4.15 and later where the new Custom Roles are created for the GCP Service Accounts instead using the GCP predefined roles
Steps to Reproduce:
1. Create an empty disk image
2. Create a MachineSet like the following:
apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
name: ocp418-gizzi-2kts2-worker-c
namespace: openshift-machine-api
labels:
machine.openshift.io/cluster-api-cluster: ocp418-gizzi-2kts2
spec:
replicas: 1
selector:
matchLabels:
machine.openshift.io/cluster-api-cluster: ocp418-gizzi-2kts2
machine.openshift.io/cluster-api-machineset: ocp418-gizzi-2kts2-worker-c
template:
metadata:
labels:
machine.openshift.io/cluster-api-cluster: ocp418-gizzi-2kts2
machine.openshift.io/cluster-api-machine-role: worker
machine.openshift.io/cluster-api-machine-type: worker
machine.openshift.io/cluster-api-machineset: ocp418-gizzi-2kts2-worker-c
spec:
lifecycleHooks: {}
metadata: {}
providerSpec:
value:
machineType: n2-standard-8
userDataSecret:
name: worker-user-data
deletionProtection: false
networkInterfaces:
- network: ocp418-gizzi-2kts2-network
subnetwork: ocp418-gizzi-2kts2-worker-subnet
credentialsSecret:
name: gcp-cloud-credentials
zone: europe-west12-b
canIPForward: false
metadata:
creationTimestamp: null
projectID: openenv-cmb92
region: europe-west12
kind: GCPMachineProviderSpec
disks:
- autoDelete: true
boot: true
image: projects/rhcos-cloud/global/images/rhcos-418-94-202501221327-0-gcp-x86-64
labels: {}
sizeGb: 120
type: pd-ssd
- autoDelete: true
boot: false
image: projects/openenv-cmb92/global/images/ocp-empty
labels: {}
sizeGb: 200
type: pd-ssd
tags:
- ocp418-gizzi-2kts2-worker
serviceAccounts:
- email: ocp418-gizzi-2kts2-w@openenv-cmb92.iam.gserviceaccount.com
scopes:
- 'https://www.googleapis.com/auth/cloud-platform'
apiVersion: machine.openshift.io/v1beta1
shieldedInstanceConfig: {}
Actual results:
ocp418-gizzi-2kts2-worker-c-jmmrq: reconciler failed to Create machine: error launching instance: googleapi: Error 403: Required 'compute.images.useReadOnly' permission for 'projects/openenv-cmb92/global/images/ocp-empty', forbidden
Expected results:
The Machine is provisioned
- blocks
-
-
- Closed
-
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHBA-2025:9269
OpenShift Container Platform 4.18.18 bug fix update
