gke/ERR/2021_001

GKE nodes service account permissions for logging.

Product: Google Kubernetes Engine
Rule class: ERR - Something that is very likely to be wrong

Description

The service account used by GKE nodes should have the logging.logWriter role, otherwise ingestion of logs won’t work.

Remediation

Make sure that you have the following role binding in the IAM policy:

Principal: GKE node pool service account
Role: roles/logging.logWriter

Further information

Hardening your cluster’s security