• Problems :- Facing below issue while creating GKE from console

The Kubernetes Engine service account is missing required permissions on this project. See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info: required “container.hostServiceAgent.use” permission(s) for “projects/bh-vpc-host-nprd”.

Solution

On the service project level:

1. Check Kubernetes Engine API enabled on the service project

2. Check both service accounts are created by clicking on the Include Google-provided role grants option in the upper-right corner of the Google IAM console

• GKE service acc service-SERVICE_PROJECT_NUM@container-engine-robot.iam.gserviceaccount.com

• Google API service acc SERVICE_PROJECT_NUM@cloudservices.gserviceaccount.com

On the host project level:

1. Check Kubernetes Engine API enabled on the host project

2. Grant the GKE service acc shown above the roles/container.hostServiceAgentUser and roles/compute.networkUser roles

3. Grant the Google API service acc shown above the roles/compute.networkUser role

This will allow the Kubernetes Engine service account to configure shared network resources at the host project level for clusters created in service projects