K
Q

error when creating "install/kubernetes/istio-rbac-beta.yaml"

8/10/2017

I was trying to deploy Istio in my environment and run across the following error. All the solutions online are regarding clusterrolebinding, I have tried to do that but failed nevertheless. Any inputs to my problem?

kubectl api-versions | grep rbac

rbac.authorization.k8s.io/v1alpha1
rbac.authorization.k8s.io/v1beta1

sudo kubectl apply -f install/kubernetes/istio-rbac-beta.yaml

rolebinding "istio-pilot-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured

Error from server (Forbidden): 
error when creating"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden:
attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] 
[]} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] 
[thirdpartyresources] [] []} {[*] [extensions] 
[thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] 
[] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] 
[pods] [] []} {[*] [] [services] [] []}] user=&{kubeconfig  
[system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden: 
attempt to grant extra privileges: [{[create] [] [secrets] [] []} 
{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] [] 
[secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] 
[serviceaccounts] [] []}] user=&{kubeconfig  [system:authenticated] 
map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden: 
attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] [] 
[]} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io] 
[istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []} 
{[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions] 
[thirdpartyresources] [] []} {[update] [extensions] 
[thirdpartyresources] [] []} {[get] [extensions] [ingresses] [] []} 
{[watch] [extensions] [ingresses] [] []} {[list] [extensions] 
[ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[get] [] 
[configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] 
[configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []} 
{[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] [] 
[endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services] 
[] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] 
user=&{kubeconfig  [system:authenticated] map[]} ownerrules=[] 
ruleResolutionErrors=[]
-- Vallari Mehta
istio
kubernetes

Similar Questions

Google container engine, direct access to pods
(gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default"
How do you add scrape targets to a Prometheus server that was installed with Kubernetes-Helm?
Get the image and SHA image ID of images in pod on Kubernetes deployment

2 Answers

8/11/2017

The error Kubernetes gives you basically means that it thinks whatever you're trying to do is a privilege escalation (which is correct) and tries to prevent that.

The RBAC API prevents users from escalating privileges by editing roles or role bindings. Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use. A user can only create/update a role if they already have all the permissions contained in the role, at the same scope as the role (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role). For example, if “user-1” does not have the ability to list secrets cluster-wide, they cannot create a ClusterRole containing that permission. (taken from here)

The reason for that is because the ClusterRole that is applied (using a ClusterRoleBinding) to the user you're using to access the cluster does not actually have all the permissions you're trying to give your application. To resolve that, you need to create a ClusterRoleBinding that gives your User the necessary permissions. In your case it would make sense to bind you to the cluster-admin role which gives you unlimited permissions.

To do that, you can run something like that:

kubectl create clusterrolebinding --clusterrole cluster-admin --user your-user
-- Lorenz
Source: StackOverflow
8/11/2017

In order to prevent escalation attacks, the RBAC APIs will not let you create roles with permissions your user does not currently have (or rolebindings to roles containing permissions you don't have)

That message is telling you that the roles you are trying to create have permissions in them that your current user (username=kubeconfig) does not have

See https://kubernetes.io/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping for more details

-- Jordan Liggitt
Source: StackOverflow