Solved: Re: unable to create GKE Cluster constraint constr...

amitthk · 12-25-2023 01:15 AM

Hi,

Can I get some help around this issue please? I've tried to get simple workloads deployed to GKE, but it is turning into a nightmare. None of the Google's documentation is accurate.

I have already update the constraint and granted the Allow All permission.

The cluster creation still fails at this error:

Not all instances running in IGM after 23.255321784s. Expected 1, running 0, transitioning 1. Current errors: [CONDITION_NOT_MET]: Instance 'gk3-autopilot-cluster-2-default-pool-f59235d6-pww9' creation failed: Constraint constraints/compute.vmExternalIpAccess violated for project {NNNNNNNNN}. Add instance projects/stridecal-web-dev/zones/asia-southeast1-b/instances/gk3-autopilot-cluster-2-default-pool-{somekeys}-{somekeys} to the constraint to use external IP with it.

I also tried to delete the old clusters and create fresh after updating the policy but nothing works. The GKE cluster crashed unable to come up. This after I've spent 2 days to get a simplest task of getting GKE cluster up. There are so many things which we need to figure out and fix just to get simple things done in GKE. We've been asked to use GCP anyways otherwise AWS is leaps and bounds ahead of Google at least in end user experience.

amitthk

Eventually , managed to get help from a friend who works in google. IAM Admin > Organizational Policies> constraints/compute.vmExternalIpAccess > needs to be set as "Google-managed default". Allowing specific GCP resources and allowing them doesn't work. At least this solved the problem of public IP not getting assigned and cluster getting sealed up.

View solution in original post

garisingh

Sorry for your troubles. In general, I would not set up the cluster with public IPs (which is the constraint you hit - not sure who set this up in your organization).

I'd definitely recommend setting up a private cluster with the public endpoint enabled to start with. Looks like you are creating an Autopilot cluster (which is also recommended).

So if you create an Autopilot cluster, make it private, enabled the public endpoint ... does that work?

amitthk

Hi, if I try to create any project

GCP forces me to use stridecal.com organization
The organization policies in this org has a constraint => constraints/compute.vmExternalIpAccess
No matter what documentation I follow from google, the constraint is always violated.
I tried "allow all" updating the organization policy to "allow all". I also tried adding the respective objects into the "allow" whitelist of this constraint.
I also tried assigning the super admin privileges to the service account which I am using.
Nothing works. All the documentation it is pointing to is full of random verbiage. Each solution tried. Nothing works.

Solution: delete the organization - stridecal.com - from my account

I don't understand why this is made so much difficult to simply delete the organization if it is not working and allow us to deploy the objects in No Organization. The organization thing is all messed up.

amitthk

Eventually , managed to get help from a friend who works in google. IAM Admin > Organizational Policies> constraints/compute.vmExternalIpAccess > needs to be set as "Google-managed default". Allowing specific GCP resources and allowing them doesn't work. At least this solved the problem of public IP not getting assigned and cluster getting sealed up.

Piyaphart90

Autopilot

unable to create GKE Cluster constraint constraints/compute.vmExternalIpAccess violated for project