I aim to enable Application Level Encryption on my GKE cluster. I am using a custom service account (with required permissions to Encrypt/Decrypt a KMS key) to create this cluster, but it still asks me to grant Encrypt/Decrypt permissions to my Kubernetes service agent account(SA that gets created when you enable the Kubernetes API on the GCP project).
Error: The service-xxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com service account does not have permissions to encrypt/decrypt with the selected key.
