If you use the fabric-net-svpc-access module to associate a project to a host vpc project, and you set host_service_agent_role to true, the kubernetes service agent in the service project is NOT granted the roles/container.hostServiceAgentUser role.
I'm assuming that it gets created correctly, by default, when simply setting shared_vpc_enabled and shared_vpc in the project_factory module, since I have a project created that way, and the [email protected] for that project does have that role on the host project.
In the project where I specify no shared_vpc_enabled, but then explicitly use the fabric-net-svpc-access module to associated the host project with the service project, only the explicitly listed host_service_agent_users are granted that role.
It looks to me like the default kubernetes service agent account (service-[PROJECT_NUMBER]@container-engine-robot.iam.gserviceaccount.com) should automatically be added to that list, or the docs should at least specify how to construct that account identifier manually in order to ensure it is included.
The error message resulting from the missing role points users to this page, which really isn't entirely accurate - https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted
In this case, the problem is not resolved by disabling and re-enabling the kubernetes api, nor was it caused by deleting the service account.
And while I have you, if service accounts are going to have the project NUMBER in them, can we please also have the project number visible in the resource manager in the console? It is obnoxious to have to click through to the settings on each project, which loads a completely new page, just to see each project's number. Simply figuring out which projects' service accounts had the role and why took far too long, because I had no easy way to correlate the list of accounts with the list of projects visible in resource manager. I had to check each one. Project number keeps cropping up in various contexts, and it continues to be a PITA whenever it does because it isn't readily visible in the UI. Why not use project_id instead of project num, or else make project num just as visible as the project id is?