Add error message and self-help instructions for kubernetes permissio…

…ns (#21) * Add error message and self-help instructions for kubernetes permissions * misplaced period * Move instructions just to the README, and point to them from the error message * improve readme example
AI-Hypercomputer · Nov 22, 2023 · 5246bf2 · 5246bf2
1 parent 2b04d2e
commit 5246bf2
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -321,3 +321,46 @@ gcloud compute machine-types list --zones=$ZONE_LIST
 # Adjust default cpu machine type.
 python3 xpk.py cluster create --cluster-cpu-machine-type=CPU_TYPE ...
 ```
+
+## Permission Issues: `requires one of ["permission_name"] permission(s)`.
+
+1) Determine the role needed based on the permission error:
+
+    ```shell
+    # For example: `requires one of ["container.*"] permission(s)`
+    # Add [Kubernetes Engine Admin](https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles) to your user.
+    ```
+
+2) Add the role to the user in your project.
+
+    Go to [iam-admin](https://console.cloud.google.com/iam-admin/) or use gcloud cli:
+    ```shell
+    PROJECT_ID=my-project-id
+    CURRENT_GKE_USER=$(gcloud config get account)
+    ROLE=roles/container.admin  # container.admin is the role needed for Kubernetes Engine Admin
+    gcloud projects add-iam-policy-binding $PROJECT_ID --member user:$CURRENT_GKE_USER --role=$ROLE
+    ```
+
+3) Check the permissions are correct for the users.
+
+    Go to [iam-admin](https://console.cloud.google.com/iam-admin/) or use gcloud cli:
+
+    ```shell
+    PROJECT_ID=my-project-id
+    CURRENT_GKE_USER=$(gcloud config get account)
+    gcloud projects get-iam-policy $PROJECT_ID --filter="bindings.members:$CURRENT_GKE_USER" --flatten="bindings[].members"
+    ```
+
+4) Confirm you have logged in locally with the correct user.
+
+    ```shell
+    gcloud auth login
+    ```
+
+
+
+### Roles needed based on permission errors:
+
+* `requires one of ["container.*"] permission(s)`
+
+  Add [Kubernetes Engine Admin](https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles) to your user.
diff --git a/xpk.py b/xpk.py
@@ -1096,6 +1096,13 @@ def set_jobset_on_cluster(args) -> int:
         'jobset command on server side returned with ERROR returncode'
         f' {return_code}.\n'
     )
+    xpk_print(
+      'This likely means you\'re missing Kubernetes Permissions, you can'
+      ' validate this by checking if the error references permission'
+      ' problems such as `requires one of ["container.*"] permission(s)`.'
+      ' Follow our readme: https://github.com/google/xpk/blob/main/README.md#troubleshooting'
+      ' for instructions on how to fix these permissions.'
+    )
     return 1
   return 0