The GKE cluster will deny serviceaccount creation on the kube-system namespace. It appears that GKE implements some validation over requests sent to the K8S API, controlling/denying modifications and creation to resources in kube-system. https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview
Further on this issue - there are other problems encountered as reported by @Barteus and team
barteus@ barteus- xps:~$ /snap/juju/ current/ bin/juju add-k8s --cloud google hackaton-cluster1 l-64f26484" in namespace "kube-system": serviceaccounts is forbidden: User "<email address hidden>" cannot create resource "serviceaccounts" in API group "" in the namespace "kube-system": GKE Warden authz [denied by managed- namespaces- limitation] : the namespace "kube-system" is managed and the request's verb "create" is denied barteus- xps:~$ kubectl get service account -A barteus- xps:~$ kubectl get serviceaccount -A filestorecsi default 0 43h controller 0 43h controller 0 43h aggregation- controller 0 43h set-controller 0 43h controller 0 43h controller 0 43h nat-controller 0 43h controller 0 43h rroring- controller 0 43h volume- controller 0 43h node-sa 0 43h garbage- collector 0 43h agent-cpha 0 43h controller 0 43h volume- binder 0 43h cleanup- service 0 43h collector 0 43h controller 0 43h controller 0 43h controller 0 43h controller 0 43h controller 0 43h cert-publisher 0 43h account- controller 0 43h controller 0 43h finished- controller 0 43h
ERROR making juju admin credentials in cluster: ensuring service account "juju-credentia
barteus@
error: a resource cannot be retrieved by name across all namespaces
barteus@
NAMESPACE NAME SECRETS AGE
default default 0 43h
gke-gmp-system collector 0 43h
gke-gmp-system default 0 43h
gke-gmp-system operator 0 43h
gke-managed-
gmp-public default 0 43h
kube-node-lease default 0 43h
kube-public default 0 43h
kube-system antrea-agent 0 43h
kube-system antrea-controller 0 43h
kube-system antrea-cpha 0 43h
kube-system attachdetach-
kube-system certificate-
kube-system cilium-win 0 43h
kube-system cloud-provider 0 43h
kube-system clouddns 0 43h
kube-system clusterrole-
kube-system cronjob-controller 0 43h
kube-system daemon-
kube-system default 0 43h
kube-system deployment-
kube-system disruption-
kube-system egress-
kube-system endpoint-controller 0 43h
kube-system endpointslice-
kube-system endpointslicemi
kube-system ephemeral-
kube-system event-exporter-sa 0 43h
kube-system expand-controller 0 43h
kube-system filestorecsi-
kube-system fluentbit-gke 0 43h
kube-system gcsfusecsi-node-sa 0 43h
kube-system generic-
kube-system gke-metadata-server 0 43h
kube-system gke-metrics-agent 0 43h
kube-system ip-masq-agent 0 43h
kube-system job-controller 0 43h
kube-system konnectivity-agent 0 43h
kube-system konnectivity-
kube-system kube-dns 0 43h
kube-system kube-dns-autoscaler 0 43h
kube-system kube-proxy 0 43h
kube-system metadata-proxy 0 43h
kube-system metrics-server 0 43h
kube-system namespace-
kube-system netd 0 43h
kube-system node-controller 0 43h
kube-system node-local-dns 0 43h
kube-system pdcsi-node-sa 0 43h
kube-system persistent-
kube-system pkgextract-
kube-system pkgextract-service 0 43h
kube-system pod-garbage-
kube-system pv-protection-
kube-system pvc-protection-
kube-system replicaset-
kube-system replication-
kube-system resourcequota-
kube-system root-ca-
kube-system service-
kube-system service-controller 0 43h
kube-system statefulset-
kube-system ttl-after-
kube-system ttl-controller 0 43h
The GKE cluster will deny serviceaccount creation on the kube-system namespace. It appears that GKE implements some validation over requests sent to the K8S API, controlling/denying modifications and creation to resources in kube-system. https:/ /cloud. google. com/kubernetes- engine/ docs/concepts/ security- overview