Menu
After creating a new GKE cluster, creating a cluster role failed with the following error:
Error from server (Forbidden): error when creating "./role.yaml":
clusterroles.rbac.authorization.k8s.io "secret-reader" is forbidden:
attempt to grant extra privileges: [PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["list"]}] user=&{[email protected]
[system:authenticated] map[authenticator:[GKE]]} ownerrules= .
[PolicyRule{Resources:["selfsubjectaccessreviews"
"selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:
["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis"
"/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json"
"/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}]
ruleResolutionErrors=[]
My account has the following permissions in IAM:
Kubernetes Engine Admin
Kubernetes Engine Cluster Admin
Owner
This is my role.yaml (from the Kubernetes docs):
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
According to the RBAC docs of GCloud, I need to
create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.
So I tried this:
export GCP_USER=$(gcloud config get-value account | head -n 1)
kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin --user=$GCP_USER
which succeeded, but I still get the same error when creating the cluster role.
Any ideas what I might be doing wrong?
670
You can use both Identity and Access Management (IAM) and Kubernetes RBAC to control access to your GKE cluster: IAM is not specific to Kubernetes; it provides identity management for multiple Google Cloud products, and operates primarily at the level of the Google Cloud project.
To create clusters in GKE, you need to choose a mode of operation: Autopilot or Standard. If you use the Autopilot mode, your cluster is regional by default. If you use the Standard mode, this tutorial creates a zonal cluster. Replace COMPUTE_REGION with the Compute Engine region for the cluster.
A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in. ClusterRole, by contrast, is a non-namespaced resource.
GKE is a google cloud service which provides managed environment to deploy, manage and scale containerized applications. It becomes easier to create a cluster using GKE with required number of nodes with just few clicks. Nodes in the cluster are VM instances which can be created using another service called Compute Engine.
The storage administrator role can be created to authorize a storage admin to create persistentvolumes A ClusterRole can be used to grant the same permissions as a Role. Because ClusterRoles are cluster-scoped, you can also use them to grant access to: To grant permissions across a whole cluster, you can use a ClusterRoleBinding.
GKE roles are prefixed with roles/container, such as gcloud iam roles describe roles/container.admin. Go to the Roles section of the IAM & Admin page on Cloud Console. To see the roles for GKE, in the Filter table field, enter Kubernetes Engine.
Roles define which GCP resources an account can access and which operations they can perform. In GKE, you can use Cloud IAM to manage which users and service accounts can access, and perform operations in, your clusters.
According to Google Container Engine docs you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.
$ gcloud info | grep Account
Account: [[email protected]]
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin [email protected]
Clusterrolebinding "myname-cluster-admin-binding" created
Now you can create your ClusterRole without any problem.
I found the answer in CoreOS FAQ / Troubleshooting check it out for more information.
124
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With