Reputation: 3569
Cloudbuild having issue when running the kubelet cloudbuilder
I am trying to deploy the new changes to kubernetes cluster using the Google Cloud Provider CloudBuild. Whenever I make some changes the trigger is working fine and its starting a new build but here is the issue I am getting with this cloudbuild.yaml.
cloudbuild.yaml
steps:
#step1
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image', '.' ]
#step 2
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image']
#step 3 for testing
name: 'gcr.io/cloud-builders/kubectl'
args: ['get', 'pods']
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
#STEP-4
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'
Step 1 and 2 are working fine but the issue is with the step3 where for testing purpose I simply ran the get pods command to test if it will work or not. Here is the issue I am getting in the logs.
Running: gcloud container clusters get-credentials --project="journeyfoods-io" --zone="us-central1-a" "cloudbuild-test"
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/XXXX/zones/us-central1-a/clusters/cloudbuild-test".
What permissions is it looking for? Do I need to do some authentication before running the steps or What exactly am I missing?
Upvotes: 1
Views: 259
Answers (1)
Reputation: 3186
The steps of a Cloud Build build are executed using with the [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com service account. From the Cloud Build documentation page about this topic:
When you enable the Cloud Build API, the service account is automatically created and granted the Cloud Build Service Account role for your project. This role is sufficient for several tasks, including:
- Fetching code from your project's Cloud Source Repository
- Downloading files from any Cloud Storage bucket owned by your project
- Saving build logs in Cloud Logging
- Pushing Docker images to Container Registry
- Pulling base images from Container Registry
But this service account does not have permissions for certain actions by default ( in particular the container.clusters.get permission is not grated by default). So you need to grant it with a proper IAM role. In your case the Kubernetes Engine Developer role contains the container.clusters.get permission as you can see in this page.
Upvotes: 2
Related Questions
- Unable to connect cloudbuild to compute engine
- Cloud Build fails to deploy Cloud Run after started using Google Cloud Kubernetes Cluster
- cloud build deploy into gke cluster
- Your build failed to run: Couldn't read commit xxxxxxxx
- Google Cloud Build gke-deploy could not parse reference "eu.gcr.io/personal-134286/portfolio:6ccad35"
- My cloudbuild.yaml is failing. Please review my cloudbuild.yaml
- Cloud Build Bazel Error: "kubectl toolchain was not properly configured so apply cannot be executed"
- Setting a container in Kubernetes with cloudbuild.yaml error: unable to find container named "XXX" error
- unable to deploy to cloudrun through cloudbuild
- Error submitting Cloudbuild job from Cloudfunctions if