Permission errors when installing Rancher on existing Kubernetes cluster

12/13/2020

I am trying to install Rancher on Kubernetes cluster that is provided to me by a third party. Please can someone help me with these errors that I am seeing? I am not sure if I am being stupid or if there is something weird in the way that the Kubernetes cluster has been set up.

In the rancher pods I see the following log lines:

2020/12/13 11:06:11 [INFO] Rancher version v2.5.3 (028c6dd04) is starting
2020/12/13 11:06:11 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:true Embedded:false BindHost: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false Trace:false NoCACerts:true AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLevel:0 Agent:false Features:}
2020/12/13 11:06:11 [INFO] Listening on /tmp/log.sock
2020/12/13 11:06:11 [INFO] No access to list CRDs, assuming CRDs are pre-created.
2020/12/13 11:06:11 [ERROR] unable to retrieve feature multi-cluster-management in initialize features: features.management.cattle.io "multi-cluster-management" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature fleet in initialize features: features.management.cattle.io "fleet" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature fleet in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature unsupported-storage-drivers in initialize features: features.management.cattle.io "unsupported-storage-drivers" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature unsupported-storage-drivers in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature istio-virtual-service-ui in initialize features: features.management.cattle.io "istio-virtual-service-ui" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature istio-virtual-service-ui in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature proxy in initialize features: features.management.cattle.io "proxy" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [FATAL] creating CRD store customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:default:rancher" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

I am installing rancher by templating the helm with the following:

helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external

Which gives me the yaml below which I install with kubectl apply -f ...

Ta,

Andrew

---
# Source: rancher/templates/serviceAccount.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.5.3
    heritage: Helm
    release: rancher
---
# Source: rancher/templates/clusterRoleBinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.5.3
    heritage: Helm
    release: rancher
subjects:
- kind: ServiceAccount
  name: rancher
  namespace: cattle-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---
# Source: rancher/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.5.3
    heritage: Helm
    release: rancher
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
  - port: 443
    targetPort: 444
    protocol: TCP
    name: https-internal
  selector:
    app: rancher
---
# Source: rancher/templates/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.5.3
    heritage: Helm
    release: rancher
spec:
  replicas: 3
  selector:
    matchLabels:
      app: rancher
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: rancher
        release: rancher
    spec:
      serviceAccountName: rancher
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - rancher
              topologyKey: kubernetes.io/hostname
      containers:
      - image: rancher/rancher:v2.5.3
        imagePullPolicy: IfNotPresent
        name: rancher
        ports:
        - containerPort: 80
          protocol: TCP
        args:
        # Public trusted CA - clear ca certs
        - "--no-cacerts"
        - "--http-listen-port=80"
        - "--https-listen-port=443"
        - "--add-local=true"
        env:
        - name: CATTLE_NAMESPACE
          value: cattle-system
        - name: CATTLE_PEER_SERVICE
          value: rancher
        livenessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 60
          periodSeconds: 30
        readinessProbe:
          httpGet:
            path: /healthz
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 30
        resources:
          {}
        volumeMounts:
      volumes:
---
# Source: rancher/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.5.3
    heritage: Helm
    release: rancher
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec:
  rules:
  - host: rancher.my.org  # hostname to access rancher server
    http:
      paths:
      - backend:
          serviceName: rancher
          servicePort: 80
-- Andrew Holway
kubernetes
rancher

2 Answers

12/14/2020

I've reproduced your issue and in order to install rancher you have to install cert-manager or choose any other SSL configuration.

You can do it by following steps from linked documentation, if you choose to install cert-manager, you simply run:

$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml

$ kubectl create namespace cert-manager

$ helm repo add jetstack https://charts.jetstack.io

$ helm repo update

$ helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.0.4

After that you can deploy yamls shown in your question and Rancher will start-up correctly.

$ kubectl get pods -n cattle-system
rancher-65db98499b-hvnmc           1/1     Running     1          3m52s
rancher-65db98499b-pccdt           1/1     Running     0          3m52s
rancher-65db98499b-wbm28           1/1     Running     1          3m52s
rancher-webhook-7bc7ffdf7c-hrd8q   1/1     Running     0          101s
-- kool
Source: StackOverflow

12/15/2020

I got this to work by installing rancher in the cattle-system namespace which is where all the CRDs are. I guess it makes sense that the provided ClusterRoleBinding require the caller to be in the same namespace.

helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external > rancher.yaml

kubectl apply -f rancher.yaml -n cattle-system

The documentation is not very clear.

-- Andrew Holway
Source: StackOverflow