I am trying to install traefik as an ingress controller on GKE (google cloud kubernetes engine) and when I try:
kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yamlI have this error:
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml": clusterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["watch"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["watch"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["watch"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["get"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["list"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["watch"]}] user=&{IzoPi4a@gmail.com [system:authenticated] map[user-assertion.cloud.google.com:[ADKE0IBz9kwSuZRZkfbLil8iC/ijcmJJmuys2DvDGxoxQ5yP6Pdq1IQs3JRwDmd/lWm2vGdMXGB4h1QKiwx+3uV2ciTb/oQNtkthBvONnVp4fJGOSW1S+8O8dqvoUNRLNeB5gADNn1TKEYoB+JvRkjrkTOxtIh7rPugLaP5Hp7thWft9xwZqF9U4fgYHnPjCdRgvMrDvGIK8z7ONljYuStpWdJDu7LrPpT0L]]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/openapi" "/openapi/" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[]
The problem is this part only, the other one is created successfully:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watchBased on docs ( https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) I tried executing this command but I still get the same error
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=MY_EMAIL_THAT_I_LOGIN_INTO_GCPHas anyone ever manage to fix this? or it just does not work ?
I am trying to make a kubernetes cluster without loadBalancer in order to be cheap on my local machine (minikube), I have no such problems.
So for everyone who is trying to install traefik on GKE, and you get stuck with that error message, just do that first https://stackoverflow.com/a/46316672/1747159
# Get password value
$ gcloud container clusters describe CUSTER_NAME --zone ZONE_NAME | grep password
# Pass username and password parameters
$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml --username=admin --password=PASSWORDThanks Nicola Ben for helping me figure it out
The main problem here is that your current user has not enough rights to do this. To create the necessary binding:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)Thanks to istio for the idea.