This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Kubernetes Engine Node Service Agent doesn't exist

Posted on 10-06-2023 07:54 PM
g_munish
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey All, I have both GKE Std and GKE Autopilot clusters in my gcp project that have been running for a few months. 

Per the link https://cloud.google.com/iam/docs/service-agents#kubernetes-engine-node-service-agent, I would expect to see "Kubernetes Engine Node Service Agent" in my project. However, I am unable to find it on the IAM screen. I did check "Include Google-provided role grants". I do see service-xxxx@container-engine-robot.iam.gserviceaccount.com but not the Kubernetes Engine Node Service Agent. 

How and when does this account get created?

 

0 5 1,781
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

The account is only used as the default default service account for Autopilot clusters when you do not specify a service account during cluster creation.

0 Likes

Posted on --/--/---- --:-- AM
g_munish
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

Good to hear from you buddy. @garisingh 

So, if I create a autopilot cluster with default service account. I should see the node service agent get created in my GCP project correct? I did create such a cluster but I don't see the service agent account. please let me know what other information you need to help move this along. I am also open to GVC if that helps.

0 Likes

Posted on --/--/---- --:-- AM
g_munish
Bronze 1
Bronze 1
In response to g_munish
Reply posted on --/--/---- --:-- AM

also @garisingh if you could get this documentation updated. https://cloud.google.com/iam/docs/service-agents#kubernetes-engine-node-service-agent to reflect that it only applies to autopilot running with default SA, that would be great.

0 Likes

Posted on --/--/---- --:-- AM
Stevko
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Kubernetes Engine Service Agent is role you assign to a Service Account.

Click on IAM, click on Service Accounts, select your service account, Grant Permissions, find that role and assign it, save...

 

0 Likes

Posted on --/--/---- --:-- AM
shannduin
Staff
In response to Stevko
Reply posted on --/--/---- --:-- AM

Yes and no, the service agent role is a role that Google assigns to the Google-managed service account called "Kubernetes Engine Node Service Agent". You shouldn't assign service agent roles to other principals. 

Use the Kubernetes Engine Node Service Account role (roles/container.nodeServiceAccount) instead

0 Likes
Top Labels in this Space
Top Solution Authors
View all