gke/WARN/2022_007

GKE nodes need Storage API access scope to retrieve build artifacts

Product: Google Kubernetes Engine
Rule class: WARN - Something that is possibly wrong

Description

GKE nodes must have storage.googleapis.com API access scope to retrieve build artifacts. These artifacts can be binaries/configs for node bootstrapping process or images from private Container or Artifact Registry repositories. Nodes may report connection timeouts during node bootstrapping or 401 Unauthorized if they cannot pull from a private repositories.

Remediation

The best practice when it comes to access scopes is to set the cloud-platform access scope and then control the service account’s access by granting it IAM roles. Alternatively, use the gke-default alias when creating node pools or clusters to provide all the scopes required for GKE to run smoothly.

Further information

Cannot pull images from private container registry repository
Storage API Scopes
Access required for Artifact Registry
Access required for Container Registry