Private Service Access error code and message | C2C Community
Solved

Private Service Access error code and message

  • 24 February 2022
  • 5 replies
  • 57 views

Userlevel 1

Hello,

 

Does anybody know where I can find the error code and error message explanation on this error while trying to create ServiceAttachment in regards to Private Service Connect?

 

ServiceAttachment definition:

apiVersion: networking.gke.io/v1beta1

kind: ServiceAttachment

metadata:

 name: emoji-sa

 namespace: psc-producer

spec:

 connectionPreference: ACCEPT_AUTOMATIC

 natSubnets:

 - my-cluster-us-west1

 proxyProtocol: false

 resourceRef:

   kind: Service

   name: gke-l4-psc

 

 

Error message:

Events:

  Type     Reason                          Age                 From                     Message

  ----     ------                          ----                ----                     -------

  Warning  ProcessServiceAttachmentFailed  31s (x21 over 25m)  loadbalancer-controller  error processing service attachment "psc-producer/emoji-sa": "failed to create GCE Service Attachment: googleapi: Error 412: CONDITION_NOT_MET - Subnet resource_type: SUBNETWORK\nresource_name: \"my-cluster-us-west1\"\nproject {\n  canonical_project_id: my-project-id\n}\nscope {\n  scope_type: REGION\n  scope_name: \"us-west1\"\n}\n does not have the purpose PRIVATE_SERVICE_CONNECT"

 

 

my-cluster-us-west1 subnet is Private Google Access enabled.

 

Thank you,

Laurentius

icon

Best answer by alexmoore 27 February 2022, 11:55

View original

5 replies

Hi,

 

It looks like the subnet you are using for PSC does not have its purpose set correctly, take a look at this page for some guidance on configuration: https://cloud.google.com/vpc/docs/configure-private-service-connect-producer#add-subnet-psc

 

Hope that helps,

Alex

Userlevel 7
Badge +56

Hi @lrpurba 

have you checked @alexmoore’s answer? Does it helps you?

Userlevel 1

Hi @ilias , and @alexmoore ,

 

I have read that doc, but still have few questions aka confused :grinning: .

 

Let say, I have an existing GCP project with GKE configured and has existing subnet. If I want to use PSC:

  • Do I have to create a new subnet?
  • If the answer above is No, can I use existing subnet that is already working in that existing cluster?
  • If the answer is Yes, why can’t I use existing subnet?

Thank you,

Hi @lrpurba 

So this page might provide some more details on these points: https://cloud.google.com/vpc/docs/private-service-connect#psc-subnets

 

Ultimately the subnet needs to be dedicated to use by PSC, so it cannot be a subnet that you are already using for other services.  Also even if you are using a global external HTTP(S) load balancer, the subnet is still required - see bullet three on that link above.

As of right now you can only set the purpose to “PRIVATE_SERVICE_CONNECT” on subnet creation - which given that the subnet is required to be dedicated simply means if you do want to re-use/re-purpose an existing subnet, you would need to delete it first then recreate it with the correct purpose set.  I assume as another mechanism to ensure that this is a subnet that is dedicated for this use.

Hope that helps, certainly if you have further questions, fire away.

All the best,

Alex

Userlevel 1

Hi @alexmoore 

 

I am just curious, why the documentation doesn’t say that we cannot use existing subnet, and it has to be a new subnet or re-use/re-purpose by delete & re-create.

 

I’ll try to create a new subnet and keep trying this PSC.

 

Thank you,

Laurentius

Reply