One of our Google Kubernetes Engine clusters has lost access to Google Cloud Platform via it's main service account. It was not using the service account 'default', but a custom one, but it's now gone. Is there a way to restore or change the service account for a GKE cluster after it has been created? Or are we just out of luck and do we have to re-create the cluster?
3 Answers
1
votes
Good news! We found a way to solve the issue without having to re-create the entire cluster.
- Create a new node-pool and make sure it has the default permissions to Google Cloud Platform (this is the case if you create the pool via the Console UI).
- 'Force' all workloads on the new node pool (e.g. by using node labels).
- Re-deploy the workloads.
- Remove the old (broken ) node pool.
Hope this helps anyone with the same issue in the future.
0
votes
Looks like you are out of luck. According to the documentation, gcloud container clusters update command does not let you update service account.
0
votes
It's not possible to do it, either restore a service account or update the cluster for a new one, you can edit Compute Engine instances but since the cluster is managed as a group, you can't edit them, even if you could, if you had the autoscaler or the auto repair node feature, new nodes wouldn't have the new service account.
So, it seems you're out of luck, you will have to recreate the cluster.
