K
Q

Kubernetes cannot create namespaces at the cluster scope

8/19/2018

I was trying to create a namespace using kubectl, but I got this error:

Error from server (Forbidden): error when creating "namespacefoo": namespaces is forbidden: User "xyz@pqr.com" cannot create namespaces at the cluster scope

Is there a concept of "scope" in Kubernetes? I couldn't find any information about different types of scope. If I cannot create namespace at the cluster scope, where can I create the namespace? How can I check which "scopes" do I have access to?

-- Ufder
kubernetes
namespaces

Similar Questions

Is it possible to Autoscale Akka
pods unable to get scheduled on node because of misleading resource overcommitted message k8s
Ingress fake SSL certifikate
Is it possible to setup a local Kubernetes development environment (Minikube, etc.) from an AWS EC2 instance?
http(s) protocol mismatch between BLOB static web and AKS web API

3 Answers

8/19/2018

That depends on your Kubernetes environment.

This answer suggest (in a Google Cloud environment):

That suggests that gcloud config set container/use_client_certificate is set to true i.e. that gcloud is expecting a client cluster certificate to authenticate to the cluster (this is what the 'client' in the error message refers to).

Unsetting container/use_client_certificate by issuing the following command in the glcoud config ends the need for a legacy certificate or credentials and prevents the error message:

gcloud config unset container/use_client_certificate

Issues such as this may be more likely if you are using an older version of gcloud on your home workstation or elsewhere.

Still, kubernetes/kubernetes issue 62361 mentions the same error message.

-- VonC
Source: StackOverflow
8/19/2018

Is this GKE? If so RBAC is enabled by default - you may need to grant yourself cluster-admin role to create namespaces.

-- Dan
Source: StackOverflow
8/19/2018

Resources within kubernetes are either namespaced (exist within a containing namespace) or cluster scoped (are not contained within a namespace). Examples of namespaced resources are pods, configmaps, and serviceaccounts. Examples of cluster scoped resources are nodes, persistentvolumes, and namespaces themselves.

When an operation is forbidden, the message indicates which scope the operation was forbidden at, and if the resource is namespaced, which namespace the operation was attempted within.

"Cannot create namespaces at the cluster scope" is not in contrast to creating namespaces at some other scope, it is just attempting to indicate at what scope you would need to grant permissions to allow that operation.

-- Jordan Liggitt
Source: StackOverflow