Menu
I did this example https://github.com/jetstack/kube-lego/tree/master/examples/gce , then failed to create ClusterRole kube-lego.
The error is:
Error from server (Forbidden): error when creating "k8s/kube-lego/hoge.yaml": clusterroles.rbac.authorization.k8s.io "kube-lego" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["patch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["update"]}] user=&{[email protected] [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
I tried on 1.8.6-gke.0, 1.8.7-gke.0 and 1.9.2-gke.0.
thanks.
796
A cluster role for Kubernetes defines user permissions required to perform operations on a Kubernetes cluster. You do not need permissions on the cluster to run the script for creating a cluster role because the kubectl api-resources can be accessed by any account.
RoleBinding and ClusterRoleBindingA RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide. A RoleBinding may reference any Role in the same namespace.
RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding's namespace. This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces. Kubernetes — RBAC — RoleBinding — ClusterRole.
As commented in kube-lego issue 225:
Turns out the error I was receiving in an known issue with GKE 1.6. I resolved by following this article:
get current google identity
$ gcloud info | grep Account
Account: [[email protected]]
grant cluster-admin to your current identity
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin [email protected]
Clusterrolebinding "myname-cluster-admin-binding" created
For the actual RBAC to define, see issue 99
It refers to Adds official RBAC rules, which applies the right settings:
# RBAC objects
kubectl apply -f lego/service-account.yaml
kubectl apply -f lego/cluster-role.yaml
kubectl apply -f lego/cluster-role-binding.yaml
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
