Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Error from server (Forbidden): error when creating .. : clusterroles.rbac.authorization.k8s.io ...: attempt to grant extra privileges:

Tags:

Failed to create clusterroles. <> already assigned as the roles of "container engine admin" & "container engine cluster admin"

Error from server (Forbidden): error when creating "prometheus- operator/prometheus-operator-cluster-role.yaml": clusterroles.rbac.authorization.k8s.io "prometheus-operator" is forbidden: attempt to grant extra privileges: [{[create] [extensions] [thirdpartyresources] [] []} {[*] [monitoring.coreos.com] [alertmanagers] [] []} {[*] [monitoring.coreos.com] [prometheuses] [] []} {[*] [monitoring.coreos.com] [servicemonitors] [] []} {[*] [apps] [statefulsets] [] []} {[*] [] [configmaps] [] []} {[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete] [] [pods] [] []} {[get] [] [services] [] []} {[create] [] [services] [] []} {[update] [] [services] [] []} {[get] [] [endpoints] [] []} {[create] [] [endpoints] [] []} {[update] [] [endpoints] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{<<my_account>>@gmail.com [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[] 
like image 703
ccyang2005 Avatar asked Jun 04 '17 01:06

ccyang2005


People also ask

How do you check if Kubernetes RBAC is enabled?

We will also assume that RBAC has been enabled in your cluster through the --authorization-mode=RBAC option in your Kubernetes API server. You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .

How do I enable RBAC?

Dashboard. Go to Dashboard > Applications > APIs and click the name of the API to view. Scroll to RBAC Settings and enable the Enable RBAC toggle. To include all permissions assigned to the user in the permissions claim of the access token, enable the Add Permissions in the Access Token toggle, and click Save.

What is RBAC in k8s?

RBAC in Kubernetes is the mechanism that enables you to configure fine-grained and specific sets of permissions that define how a given user, or group of users, can interact with any Kubernetes object in cluster, or in a specific Namespace of cluster.


2 Answers

I've got the same problem on Google Kubernetes Engine.

According to the answer of enj and the comment of ccyang2005 please find the following snipet who solve my problem :)

Step 1 : Get your identity

gcloud info | grep Account 

Will output you something like Account: [[email protected]]

Step 2 : grant cluster-admin to your current identity

kubectl create clusterrolebinding myname-cluster-admin-binding \   --clusterrole=cluster-admin \   [email protected] 

Will output somthing like Clusterrolebinding "myname-cluster-admin-binding" created


After that, you'll be able to create CusterRoles

like image 83
alphayax Avatar answered Sep 27 '22 19:09

alphayax


Based on https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control

Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRolepermissions.

This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.

So you need to bind your account to a cluster admin role.

like image 44
monis Avatar answered Sep 27 '22 18:09

monis