linkerd
Multicluster install fails to provision serviceaccounts, roles & rolebindings required to work
What is the issue?
Uppon following this official guide, linkerd fails to provision all resources need.
When running a multicluster check, i get the errors on both clusters about missing ServiceAccounts, Roles, RoleBindings and ClusterRoleBindings.
Whas able to reproduce this on 3 independed k3s clusters when trying to mesh them togheder using linkerd multicluster plugin
How can it be reproduced?
❯ linkerd --context=$cluster1 multicluster link-gen --cluster-name=$cluster1 --gateway=false | kubectl --context=$cluster2 apply -f -
secret/cluster-credentials-streaming-perftest01-pit01.xxx created
secret/cluster-credentials-streaming-perftest01-pit01.xxx created
link.multicluster.linkerd.io/streaming-perftest01-pit01.xxx created
❯ linkerd --context=$cluster2 multicluster link-gen --cluster-name=$cluster2 --gateway=false | kubectl --context=$cluster1 apply -f -
secret/cluster-credentials-streaming-perftest02-pit01.xxx created
secret/cluster-credentials-streaming-perftest02-pit01.xxx created
link.multicluster.linkerd.io/streaming-perftest02-pit01.xxx created
Logs, error output, etc
❯ linkerd --context=$cluster1 multicluster check
linkerd-multicluster
--------------------
√ Link CRD exists
√ Link resources are valid
* streaming-perftest02-pit01.xxx
√ Link and CLI versions match
* streaming-perftest02-pit01.xxx
√ remote cluster access credentials are valid
* streaming-perftest02-pit01.xxx
√ clusters share trust anchors
* streaming-perftest02-pit01.xxx
× service mirror controller has required permissions
missing ServiceAccounts: linkerd-service-mirror-streaming-perftest02-pit01.xxx
missing ServiceAccounts: controller-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-service-mirror-access-local-resources-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-multicluster-controller-access-local-resources-streaming-perftest02-pit01.xxx
missing Roles: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing Roles: controller-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: controller-read-remote-creds-streaming-perftest02-pit01.xxx
see https://linkerd.io/2/checks/#l5d-multicluster-source-rbac-correct for hints
× service mirror controllers are running
* no service mirror controller deployment for Link streaming-perftest02-pit01.xxx
see https://linkerd.io/2/checks/#l5d-multicluster-service-mirror-running for hints
√ multicluster extension proxies are healthy
√ multicluster extension proxies are up-to-date
√ multicluster extension proxies and cli versions match
Status check results are ×
output of linkerd check -o short
❯ linkerd check -o short
× service mirror controller has required permissions
missing ServiceAccounts: linkerd-service-mirror-streaming-perftest02-pit01.xxx
missing ServiceAccounts: controller-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-service-mirror-access-local-resources-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-multicluster-controller-access-local-resources-streaming-perftest02-pit01.xxx
missing Roles: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing Roles: controller-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: controller-read-remote-creds-streaming-perftest02-pit01.xxx
see https://linkerd.io/2/checks/#l5d-multicluster-source-rbac-correct for hints
× service mirror controllers are running
* no service mirror controller deployment for Link streaming-perftest02-pit01.xxx
see https://linkerd.io/2/checks/#l5d-multicluster-service-mirror-running for hints
Status check results are ×
Environment
❯ linkerd version
Client version: edge-25.10.6
Server version: edge-25.10.6
and the two nodes are on k3s:
k3s version v1.32.5+k3s1 (8e8f2a47)
go version go1.23.8
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.5 LTS"
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Possible solution
No response
Additional context
No response
Would you like to work on fixing this bug?
None
It seems the RBAC for multicluster is missing from your clusters. In the doc you point at, in step 2 make sure you're configuring the controllers value when you install linkerd-multicluster in each cluster. This other doc shows a more detailed view of how that controllers value entry looks like.
@x00e I think this section Adding Controller for cluster provides better doc as to how to create the controller for the cluster that is being linked. In the source cluster i.e where you would apply the link of other cluster, you first need to just create this file - replace east with the cluster name. This will add the relevant service account and other details to the cluster
controllers:
- link:
ref:
name: east
