I have created a service account that has the permissions to create roles and rolebindings, but sadly it gets an error when it tries to create a role. It seems like IAM permissions takes precedence? How can that be?
I get this error:
You either need to be cluster-admin or create a service-account that have the permission "Required "container.roles.create" permission."I could probably solve it by giving the serviceaccount cluster-admin, but that is too extensive as the serviceaccount should not have access to everything.
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbac-sync
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-creator
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rbac-sync-role-creator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-creator
subjects:
- kind: ServiceAccount
name: rbac-sync
namespace: defaultAccording to the GCP documentation, setting up Role-Based access control:
Because of the way GKE checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create. An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.