I am trying to install Anthos. I do this using the following command...
asmcli install -p project -l us-central1 -n earth-615 --managed --verbose --output_dir earth-615 --use_managed_cni --channel Rapid --enable-all
So I try to check it with
kubectl describe controlplanerevision asm-managed-rapid -n istio-system
It seems to be failing...
Status:
Conditions:
Last Transition Time: 2022-04-11T21:42:50Z
Message: The provisioning process has not completed successfully
Reason: NotProvisioned
Status: False
Type: Reconciled
Last Transition Time: 2022-04-11T21:42:50Z
Message: Provisioning has finished
Reason: ProvisioningFinished
Status: True
Type: ProvisioningFinished
Last Transition Time: 2022-04-11T21:42:50Z
Message: An error occurred reconciling CNI & MDP controller
Reason: ProvisioningFailed
Status: True
Type: Stalled
Events: <none>
I check the docs for status code here and I don't see that as an expected error code.
When I look at the log for istio-asm-... pod I see the following...
2022-04-12T12:22:47.328302Z error retry attempts exceeded when creating csr request csr-workload-wbksbgm8zzp5w8tgx6
Error: failed to create discovery service: failed generating key and cert by kubernetes: unable to submit CSR request (). Error: admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Policy Controller rejected the request because it violates one or more policies: {"[denied by autogke-csr-limitation]":["CSR 'csr-workload-wbksbgm8zzp5w8tgx6' disallowed in Autopilot."]}
2022-04-12T12:22:47.328580Z error failed to create discovery service: failed generating key and cert by kubernetes: unable to submit CSR request (). Error: admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Policy Controller rejected the request because it violates one or more policies: {"[denied by autogke-csr-limitation]":["CSR 'csr-workload-wbksbgm8zzp5w8tgx6' disallowed in Autopilot."]}
How do I install Anthos without getting the autogke-csr-limitation error?