DEVHIDE
Login Or Sign up

GCP Cloud Workstations config degraded error

207 Views Asked by At

I am trying to get Cloud workstations to work in a project with VPC service controls.

I am getting this error: System images cannot be pulled onto workstation VMs using this configuration. Since you have disabled public IP addresses, ensure you have enabled PGA for Artifact Registry and Container Registry by setting up DNS records for *.pkg. dev and *.gcr.io or set up Cloud NAT to allow pulling system images on your workstation VMs.

The container image it uses is in Artifact Registry in the same project. I also tried using the default image from us-central1-docker.pkg.dev/cloud-workstations-images/predefined/code-oss:latest , and added that project to the trusted images in the org policy

I already have setup DNS for artifact registry:

DNS name- pkg.dev.
CNAME - *.pkg.dev.
A record - pkg.dev.: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7  

Container Registry:

DNS name - gcr.io.
CNAME  - *.gcr.io.
A record - gcr.io. - 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7  

Restricted Google-apis:

DNS name - googleapis.com
CNAME -  *.googleapis.com
A record - restrcted.googleapis.com - 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7

(I am using restricted apis as I am using vpc service controls)

I have 1 vpc and 1 subnet, I also tried adding a cloud NAT.

Here is my VPC service perimeter:

Resources to protect: The project with Cloud Workstations

 Restricted Services:

Vertex AI API
Artifact Registry API
BigQuery API
Cloud Bigtable API
Cloud Build API
Kubernetes Engine API
Cloud Pub/Sub API
Cloud Run Admin API
Cloud SQL Admin API
Cloud Storage API

 VPC Accessible Services:

Artifact Registry API
BigQuery API
Compute Engine API
Container Registry API
Cloud DNS API
Cloud Logging API
Cloud Monitoring API
Network Connectivity API
Notebooks API
Cloud Storage API
Cloud Workstations API


Access Level:  The Cloud Workstations service account is included in the access level group


Ingress policy

No ingress policy

 Egress policy

Egress Rule 1
From:
Identities: ANY_SERVICE_ACCOUNT
To:
Projects =
All projects
Service =
Service name: artifactregistry.googleapis.com
Service methods:
All actions
Service name: storage.googleapis.com
Service methods:
All actions
Service name: containerregistry.googleapis.com
Service methods:
All actions
Service name: workstations.googleapis.com
Service methods:
All actions
Service name: compute.googleapis.com
Service methods:
All actions
Service name: dns.googleapis.com
Service methods:
All actions
Service name: networkconnectivity.googleapis.com
Service methods:
All actions
Service name: servicedirectory.googleapis.com
Service methods:
All actions

Have added the proper DNS records from https://cloud.google.com/artifact-registry/docs/securing-with-vpc-sc. Also added Cloud NAT.

google-cloud-platform google-cloud-workstations
Original Q&A
1

There are 1 best solutions below

0
On

The problem was actually the routes.

I had a static route configured to 0.0.0.0/0 with priority 1000 with instance tag.

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-WORKSTATIONS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.