Unable to pass service account in gcloud run deploy command. Getting regex validation error for the passed service account
In Sandbox environment I can see the service account for the deployed container and we can access all the data. but while deploying the container in dev environment I can't see the service account in GKE project. Please check the below image for reference. So, I am trying to pass the service account in gcloud run command with below command, but getting regex error.
gcloud run deploy $service_name \
--no-cpu-throttling \
--image=$image_name \
--project=$GKE_PROJECT \
--platform=gke \
--cluster=$CLUSTER \
--cluster-location=$CLUSTER_LOCATION \
--impersonate-service-account=$IMP_SERVICE_ACCOUNT \
--service-account=$SERVICE_ACCOUNT \
--namespace=$test
Error: (gcloud.run.deploy) HTTPError 400: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: invalid value: [email protected]: spec.template.spec.serviceAccountName\na lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is 'a-z0-9?(\.a-z0-9?)*')","reason":"BadRequest","code":400}
I can see this service account has editor and service account user roles. tried with different service accounts but still getting same erorr.
The command gcloud run deploy is used to deploy a container to Cloud Run.
While you deploy container images to Google Cloud Run and when you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.
As the error describes, there seems to be an issue with the naming annotation.The name of a ServiceAccount object must be a valid DNS subdomain name.
As the error also mentions the name should be valid for the RFC 1123 label, check for the naming rules,which includes as below.
RFC 1123 Label Names
Some resource types require their names to follow the DNS label standard as defined in RFC 1123.
This means the name must:
- contain at most 63 characters
- contain only lowercase alphanumeric characters or '-' start with an alphanumeric character
- end with an alphanumeric character
You may want to verify these standards and check again to see if this works.
Also please note that the Service account is associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. For the managed platform, this is the email address of an IAM service account. For the Kubernetes-based platforms (gke, kubernetes), this is the name of a Kubernetes service account in the same namespace as the service. If not provided, the revision will use the default service account of the project, or default Kubernetes namespace service account respectively.
- Manage resources generated by other resources
- How to override default chart values in terraform using helm provider?
- Minikube "icacls failed applying permissions "
- Kubectl error : [memcache.go:265] couldn't get current server API group list
- kubectl logs deploy/my-deployment does not show logs from all pods
- Kubernetes worker node is NotReady due to CNI plugin not initialized
- Couldn't proceed with upgrade process as new nodes are not joining node group standard-workers
- Conflicting NetworkPolicies in kubernetes
- Why does my GKE cluster not show any events?
- Kubernetes NFS Persistent Volumes - multiple claims on same volume? Claim stuck in pending?
- Encountering connection problems with PostgreSQL when using psycopg2 on a port that has been forwarded
- The connection to the server localhost:8080 was refused
- GKE gateway API: Control open ports on default firewall rule
- How to use Kubernetes secret object stringData to store base64 encoded privateKey
- K8s cluster deployment error: nc: bad address 'xx'
- Ingress path redirection, helm chart
- fluentd with OpenSearch - where does the @timestamp field come from?
- How can I keep a container running on Kubernetes?
- kubectl logs displays only 'API server listening at: [::]:40000' when remote debugging with dlv is enabled - How do I get my logs back?
- failed calling webhook "vingress.elbv2.k8s.aws"
- Kubernetes - Frontend pod can't reach backend pod
- How to access Kubernetes API when using minkube?
- What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
- kube-prometheus-stack issue scraping metrics
- No stdout/stderror output or delayed when running Haskell application in Kubernetes
- Is there an imperative command to create daemonsets in kubernetes?
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- Nginx Ingress Controller - Failed Calling Webhook
- Easily detect deprecated resources on Kubernetes
- How to configure a Kubernetes Multi-Pod Deployment