Service Account Errors on GKE after Updating to 0.63.11

slack-user-airbyte · July 27, 2024, 6:10am

Summary

Users are experiencing service account errors on GKE after updating to version 0.63.11. Errors include Forbidden messages related to listing resources and accessing guest attributes. The user has already configured service accounts but suspects a missing role binding. They are using GKE Autopilot with a non-default service account.

Question

Anyone else getting service account errors on GKE after updating to 0.63.11? Everything upgraded fine, but when trying to check or sync connections, we started getting errors like Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:airbyte-ns:REDACTED" cannot list resource "pods" in API group "" in the namespace "airbyte-ns", Guest attributes endpoint access is disabled, "403 Forbidden" for request "PUT <http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/guestInventory/Hostname>"

It seems similar to some past threads:
• https://github.com/airbytehq/airbyte/issues/7211
• https://airbytehq.slack.com/archives/C02MHKUE4BC/p1652468746315379
I do already have all these set in config:

  serviceAccountName: REDACTED

serviceAccount:
  create: true
  name: REDACTED```
It seems like there may be a missing role binding or something. For what it's worth, we're using GKE Autopilot and a non-default service account.

As a workaround, I granted our SA `roles/container.clusterAdmin`—but it really shouldn't need these permissions to create pods in its own deployments.

(If any Airbyte folks are reading, it would be awesome if you added a list of minimum-required roles for each platform like you have been with <https://docs.airbyte.com/deploying-airbyte/infrastructure/gcp|Storage and Secrets Management config>!)

<br>

---

This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. [Click here](https://airbytehq.slack.com/archives/C021JANJ6TY/p1722005012111539) if you want 
to access the original thread.

[Join the conversation on Slack](https://slack.airbyte.com)

<sub>
["service-account-errors", "gke", "update", "forbidden", "role-binding", "autopilot", "minimum-required-roles"]
</sub>

Topic		Replies	Views
Error with service account in orchestrator-repl pod after updating AWS keys Platform Questions platform , error , bug , service-account , aws-keys	0	67	May 16, 2024
Error creating pods in Airbyte connector builder server Platform Questions connector-builder , airbyte , helm-chart , error , bug	0	14	September 15, 2024
Issue with Airbyte job orchestrator failing to connect to GCS Platform Questions platform , helm , airbyte-platform , question , service-account	5	59	May 14, 2024
Issue with Kubernetes API permissions after deploying with Helm charts and customizing serviceAccount.create Platform Questions platform , bug , helm-charts , kubernetes-api , serviceaccountcreate	0	10	August 9, 2024
Error syncing data to BigQuery after upgrading Airbyte on GKE cluster Platform Questions platform , airbyte , bigquery , error , question	19	1	September 15, 2024

Service Account Errors on GKE after Updating to 0.63.11

Summary

Question

Related topics