TLDR; Does GCP MCI(Multi Cluster ) use Cloud Service Mesh as MCS?
I have implemented multi-cluster networking suing MCI(Multi Cluster Ingress) already following this link https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-ingress-setup.
Now I can see gke-mcs-importer is running on all clusters in the fleet and I think it is expected because MCI is relying on MCS(Multi Cluster Service).
But now I can see a number of errors in gke-mcs-importer pods as following:
Handler error: receiving ADS response over stream: permission denied: rpc error: code = PermissionDenied desc = Permission 'trafficdirector.networks.getConfigs' denied on resource '//trafficdirector.googleapis.com/projects/xxx/networks/test-network/nodes/test-gke-default-pool-xxxx-primary' (or it may not exist).
I cannot find any resources in Cloud Service Mesh and I don't think MCI solution creates resources on Cloud Service Mesh. So this error log is false. Am I wrong?
My expectation is gke-mcs-importer should not interact with Cloud Service Mesh when it is used by MCI.
I believe Multi Cluster Service is using Cloud Service Mesh under the hood. Look at Network Services -> Cloud Service Mesh in console. There should be records created by multi-cluster service controller
We ran into same issue with gke-mcs-importer. To get rid of it assign Network Viewer role to the Importer from CLI:
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[gke-mcs/gke-mcs-importer]" \
--role "roles/compute.networkViewer"
or Terraform
resource "google_project_iam_member" "gke_mcs_importer" {
project = var.project_id
role = "roles/compute.networkViewer"
member = "serviceAccount:${var.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
}