🔎 gke/ERR/2021_007: GKE service account permissions.
- xyz [FAIL]
service account: service-123456@container-engine-robot.iam.gserviceaccount.com
missing role: roles/container.serviceAgent
Verify that the Google Kubernetes Engine service account exists and has the
Kubernetes Engine Service Agent role on the project.
https://gcpdiag.dev/rules/gke/ERR/2021_007
even for projects that don't use GKE. It'd be nice if the tool checked whether or not the corresponding API was enabled or not and changed the applied rules accordingly.
Thanks for reporting this, which is clearly a bug in this rule. The rule should skip if the GKE API is disabled or if there are no GKE clusters created. I am working on a fix which should get pushed soon.
I get
even for projects that don't use GKE. It'd be nice if the tool checked whether or not the corresponding API was enabled or not and changed the applied rules accordingly.