gke/ERR/2024_003

GKE nodes service account permissions fit container.defaultNodeServiceAccount role

Product: Google Kubernetes Engine
Rule class: Something that is very likely to be wrong

Description

The service account used by GKE nodes should possess the permissions of the container.defaultNodeServiceAccount role, otherwise ingestion of logs or metrics won’t work.

Remediation

Make sure your GKE node pool service accounts have the following role binding in the IAM policy

Principal: GKE node pool service account
Role: container.defaultNodeServiceAccount

or use a custom role which contains those permissions

Further information

Hardening your cluster - Use least privilege IAM service Accounts