Answer-first summary for fast verification
Answer: Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
The correct answer is A because the GKE service account in the service project requires specific IAM roles in the host project to create GKE clusters when using Shared VPC. These roles include compute.securityAdmin, container.hostServiceAgentUser, and compute.networkUser. This setup ensures that the GKE service account has the necessary permissions to manage security settings, allow the GKE Host Service Agent to manage resources, and interact with the Shared VPC network in the host project. The ability to create Compute Engine instances indicates that the issue is not with the service project's permissions or firewall rules, but rather with the missing host project permissions required for GKE cluster creation.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
As part of your organization's migration to GKE on Google Cloud, application teams are moving services to GKE clusters in service projects. They have successfully tested applications and configurations in sandbox projects. However, in production, GKE node creation fails—while Compute Engine instances can be created, GKE cluster creation operations do not succeed. How should you enable the teams to successfully provision GKE clusters?
A
Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
B
Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostserviceAgentUser and compute.networkUser IAM permissions in the service project.
C
Ensure that the service project's GKE service account has the compute.networkUser IAM permission in the service project.
D
Review the firewall rules configuration in the VPC. Identify what rule is blocking node creation.
No comments yet.