Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GKE clusterrolebinding for cluster-admin fails with permission error

I've just created a new cluster using Google Container Engine running Kubernetes 1.7.5, with the new RBAC permissions enabled. I've run into a problem allocating permissions for some of my services which lead me to the following:

The docs for using container engine with RBAC state that the user must be granted the ability to create authorization roles by running the following command:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]

However, this fails due to lack of permissions (which I would assume are the very same permissions which we are attempting to grant by running the above command).

Error from server (Forbidden): 
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.: 
  "Required \"container.clusterRoleBindings.create\" permission." 
  (post clusterrolebindings.rbac.authorization.k8s.io)

Any help would be much appreciated as this is blocking me from creating the permissions needed by my cluster services.

like image 619
rmtmckenzie Avatar asked Sep 19 '17 18:09

rmtmckenzie


1 Answers

If your kubeconfig was created automatically by gcloud then your user is not the all powerful admin user - which you are trying to create a binding for.

Use gcloud container clusters describe <clustername> --zone <zone> on the cluster and look for the password field.

Thereafter execute kubectl --username=admin --password=FROMABOVE create clusterrolebinding ...

like image 77
Janos Lenart Avatar answered Oct 03 '22 18:10

Janos Lenart