K
Q

GCP K8s (kubectl) error message (Required "container.leases.get" permission)

4/2/2020

I am getting an error message after running some kubectl commands (GCP command line - gcloud). I have a K8S cluster created in GKE.

Example:

kubectl describe node

gke_k8s_cluster_name Error from server (Forbidden): leases.coordination.k8s.io "gke_k8s_cluster_name" is forbidden: User "MY_SERVICE_ACCOUNT" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "kube-node-lease": Required "container.leases.get" permission.

The point is that "container.leases.get" permission is not listed in IAM (as custom permissions or regular role).

How could I grant that permission to the service account in GCP ?

thanks, Jose

-- José Enrique Hernández
google-cloud-platform
google-iam
google-kubernetes-engine
kubectl
kubernetes

Similar Questions

Terraform kubernetes deployment with pod readinessgates
Update rules and configuration for a Prometheus installation on a Kubernetes cluster that was setup by prometheus-operator helm chart?
Connection refused error in kubernetes cluster
Kubernetes run pod as root

1 Answer

4/5/2020

You may need to grant additional permissions to yourself on GCP IAM and GKE sides, for example:

PROJECT_ID=$(gcloud config get-value core/project)
USER_ID=$(gcloud config get-value core/account)
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${USER_ID} --role=roles/container.admin
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user ${USER_ID}

See also GCP IAM & GKE RBAC integration.

-- Alex Vorona
Source: StackOverflow