ASM requesting for NET_ADMIN capabilities

vedantthapa · 09-13-2023 07:47 AM

Hello,

I have installed ASM using the asmcli on a GKE autopilot cluster by following the instructions mentioned here: https://cloud.google.com/service-mesh/docs/managed/provision-managed-anthos-service-mesh-asmcli?auth...

However, after deploying the online boutique application, I'm unable to roll out the new deployment after labeling and annotating the namespaces. Each workload requests for NET_ADMIN capabilities (see screenshot below).

The cluster was properly registered to the fleet:

> gcloud container fleet mesh describe --project hidden
createTime: '2023-08-16T18:32:12.619567872Z'
membershipSpecs:
  projects/hidden/locations/northamerica-northeast1/memberships/hidden:
    mesh:
      management: MANAGEMENT_AUTOMATIC
membershipStates:
  projects/hidden/locations/northamerica-northeast1/memberships/hidden:
    servicemesh:
      controlPlaneManagement:
        details:
        - code: REVISION_READY
          details: 'Ready: asm-managed'
        state: ACTIVE
      dataPlaneManagement:
        details:
        - code: OK
          details: Service is running.
        state: ACTIVE
    state:
      code: OK
      description: 'Revision(s) ready for use: asm-managed.'
      updateTime: '2023-09-13T14:10:25.437365433Z'
name: projects/hidden/locations/global/features/servicemesh
resourceState:
  state: ACTIVE

I have also tried using the fleet API but ran into the same issue. Strangely, the same set of steps worked for another project space.

Am I missing something here?

Any help is appreciated.

devenes

Hello @vedantthapa,

By default, GKE Autopilot clusters do not have NET_ADMIN capabilities enabled. To enable this capability, you should include the --workload-policies=allow-net-admin flag when creating or updating a cluster. This feature is available on clusters running GKE version 1.27 and later.

For updating an existing cluster, you can use the following command:

gcloud container clusters update example-cluster --workload-policies=allow-net-admin

To create a new cluster with NET_ADMIN capabilities, include the --workload-policies=allow-net-admin option in the gcloud container clusters create-auto command, like this:

gcloud container clusters create-auto example-cluster \
 --region=$REGION \
 --release-channel=regular \
 --cluster-version=1.27.2-gke.1200 \
 --project=$PROJECT_ID \
 --workload-policies=allow-net-admin

This will ensure that the NET_ADMIN capabilities are allowed in your GKE Autopilot cluster. But I'm not sure if this is an expected behaviour in managed Anthos Service Mesh installations.

vedantthapa

Hi @devenes , thanks for the response.

To your last point, that's what I wanted to confirm. Is allowing NET_ADMIN capability required for ASM installations? Because this isn't documented in any of the tutorials that I've seen. Plus, as I mentioned earlier, the same set of commands work in a different GKE autopilot cluster, which I found extremely weird.

devenes

Hi @vedantthapa,

I've noticed that for manual Istio installations in GKE Autopilot clusters, allowing the NET_ADMIN capability is necessary. However, it should not be necessary for Managed Anthos Service Mesh installations. It appears that there might be an issue with your cluster or ASM setup, as the configuration seems to be incomplete or incorrect.

garisingh

Did you follow https://cloud.google.com/service-mesh/docs/managed/provision-managed-anthos-service-mesh#deploy_appl...?
You don't want to use the istio-injection but rather the revision label.

vedantthapa

@garisingh Yep, I did use the right label.

Anyways, the issue has been resolved after re-creating the cluster. Although, I'm not sure why it wasn't fixed in the previous restarts. As @devenes pointed out, I think it probably was a configuration issue.