Managed Defender DaemonSets - permissions error

[iansk]

"Error fetching DaemonSet: The caller does not have permission" even when using a service account with Owner permissions

This is a permissions issue. In the docs, we reference the google docs for creating a service account, where inside it recommends adding these roles to the service account: Service Account Admin, Service Account Key Admin These roles aren't enough for PCC to fully work.

Since the console generates a temporary token for accessing GKE, it failed for not having the permission to generate tokens. The Owner role doesn't have permission to create tokens. Add the Service Account Token Creator role to the service account to resolve this problem.

See twistlock/twistlock#22777 for details.