gke/WARN/2022_007

GKE nodes need Storage API access scope to retrieve build artifacts

Product: Google Kubernetes Engine
Rule class: WARN - Something that is possibly wrong

Description

GKE nodes must have storage.googleapis.com API access scope to retrieve build artifacts. These artifacts can be binaries/configs for node bootstrapping process or images from private Container or Artifact Registry repositories. Nodes may report connection timeouts during node bootstrapping or 401 Unauthorized if they cannot pull from a private repositories.

Remediation

The best practice when it comes to access scopes is to set the cloud-platform access scope and then control the service account’s access by granting it IAM roles. Alternatively, use the gke-default alias when creating node pools or clusters to provide all the scopes required for GKE to run smoothly.

Further information