K
Q

Cannot create cluster role in GKE even though I am owner and admin

4/15/2018

After creating a new GKE cluster, creating a cluster role failed with the following error:

Error from server (Forbidden): error when creating "./role.yaml":
clusterroles.rbac.authorization.k8s.io "secret-reader" is forbidden: 
attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["list"]}] user=&{XXX@gmail.com  
[system:authenticated] map[authenticator:[GKE]]} ownerrules= . 
[PolicyRule{Resources:["selfsubjectaccessreviews" 
"selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs: 
["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" 
"/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" 
"/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] 
ruleResolutionErrors=[]

My account has the following permissions in IAM:

Kubernetes Engine Admin

Kubernetes Engine Cluster Admin

Owner

This is my role.yaml (from the Kubernetes docs):

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

According to the RBAC docs of GCloud, I need to

create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.

So I tried this:

export GCP_USER=$(gcloud config get-value account | head -n 1)
kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin --user=$GCP_USER

which succeeded, but I still get the same error when creating the cluster role.

Any ideas what I might be doing wrong?

-- Sebastian Rösch
google-cloud-platform
google-kubernetes-engine
kubernetes
rbac

Similar Questions

Access an application running on kubernetes from the internet
Kubernetes federation - unable to deploy the federation control plane
Redirect to https on GCE
cannot schedule kubernetes pods with request for nvidia.com/gpu

4 Answers

1/22/2019

If you got the casing right, try to add both googlemail domain variants (i.e. @gmail.com and @googlemail.com). For me gcloud info | grep Account returned <name>@googlemail.com but I had to create a clusterrole binding with <name>@gmail.com for the command to work.

-- lordvlad
Source: StackOverflow
10/24/2018

According to Google Container Engine docs you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

Get current google identity

$ gcloud info | grep Account

Account: [myname@example.org]

Grant cluster-admin to your current identity

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org

Clusterrolebinding "myname-cluster-admin-binding" created

Now you can create your ClusterRole without any problem.

I found the answer in CoreOS FAQ / Troubleshooting check it out for more information.

-- Manuel Felipe Garcia Rincon
Source: StackOverflow
12/23/2018

@S.Heutmaker`s comment led me to the solution.

For me, the solution was to create the cluster-admin-binding with the correct casing on the email address. Check the casing in error message or google cloud console IAM

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=MyName@example.org
-- RauBan
Source: StackOverflow
4/15/2018

That's the correct solution. Is the GCP_USER obtained the same as the XXX@gmail.com username in the role creation error message?

-- Jordan Liggitt
Source: StackOverflow