search

google-github-actions / get-gke-credentials

A GitHub Action that configure authentication to a GKE cluster.
https://cloud.google.com/gke
Apache License 2.0
100 stars 41 forks source link

Cant access GKE Autopilot cluster from the self-hoster runner #297

Closed arkadyb closed 4 months ago

arkadyb commented 4 months ago

TL;DR

Calling kubectl get pods returns

E0313 02:30:55.926214     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:31:25.927328     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:31:55.928008     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:32:25.930975     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:32:55.932510     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout

Expected behavior

List of pods displayed

Observed behavior

Timeouts as the kubectl cant reach to the cluster.

Action YAML

deploy:
    name: Deploy
    runs-on: arc-runner-set #self-hosted-runner
    environment: production

    permissions:
      id-token: write
      contents: read
      actions: read

    steps:
      - id: auth
        uses: "google-github-actions/auth@v2"
        with:
          credentials_json: "${{ secrets.GCP_CREDENTIALS }}"

      - uses: azure/setup-kubectl@v3
        with:
          version: "latest"

      - uses: google-github-actions/get-gke-credentials@v2
        with:
          cluster_name: ${{ env.GKE_CLUSTER }}
          location: ${{ env.GKE_ZONE }}

      - id: "get-pods"
        run: "kubectl get pods"

### Log output

```text
##[debug]Evaluating condition for step: 'Run kubectl get pods'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run kubectl get pods
##[debug]Loading inputs
##[debug]Loading env
Run kubectl get pods
  kubectl get pods
  shell: /usr/bin/bash -e {0}
  env:
    PROJECT_ID: ***
    GAR_LOCATION: us-central1
    GKE_CLUSTER: autopilot-cluster-1
    GKE_ZONE: us-central1
    DEPLOYMENT_NAME: nginx-deployment
    REPOSITORY: samples
    IMAGE: static-site
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/_work/the-project/the-project/gha-creds-8494cba9bd2cb8d1.json
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/_work/the-project/the-project/gha-creds-8494cba9bd2cb8d1.json
    GOOGLE_GHA_CREDS_PATH: /home/runner/_work/the-project/the-project/gha-creds-8494cba9bd2cb8d1.json
    CLOUDSDK_CORE_PROJECT: ***
    CLOUDSDK_PROJECT: ***
    GCLOUD_PROJECT: ***
    GCP_PROJECT: ***
    GOOGLE_CLOUD_PROJECT: ***
    KUBECONFIG: /home/runner/_work/the-project/the-project/gha-kubeconfig-cbc42c9a82c46776
    KUBE_CONFIG_PATH: /home/runner/_work/the-project/the-project/gha-kubeconfig-cbc42c9a82c46776
##[debug]/usr/bin/bash -e /home/runner/_work/_temp/03691d26-5074-46fa-ae0f-0310ae44cd7e.sh
E0313 02:30:55.926214     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:31:25.927328     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:31:55.928008     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:32:25.930975     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
E0313 02:32:55.932510     101 memcache.go:265] couldn't get current server API group list: Get "https://35.202.107.4/api?timeout=32s": dial tcp 35.202.107.4:443: i/o timeout
Unable to connect to the server: dial tcp 35.202.107.4:443: i/o timeout
Error: Process completed with exit code 1.
##[debug]Finishing: Run kubectl get pods

Additional information

No response

sethvargo commented 4 months ago

Hi @arkadyb - because every self-hosted runner installation is unique, we cannot offer specific support. Usually these kinds of errors are due to a firewall policy or Internet egress policy which prevent outbound access. Please work with your self-hosted runners administrator and network policy administrator at your organization. This is not a bug in the get-gke-credentials action.