GKE clusterrolebinding for cluster-admin fails with permission error

Question

I've just created a new cluster using Google Container Engine running Kubernetes 1.7.5, with the new RBAC permissions enabled. I've run into a problem allocating permissions for some of my services which lead me to the following:

The docs for using container engine with RBAC state that the user must be granted the ability to create authorization roles by running the following command:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]

However, this fails due to lack of permissions (which I would assume are the very same permissions which we are attempting to grant by running the above command).

Error from server (Forbidden): 
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.: 
  "Required \"container.clusterRoleBindings.create\" permission." 
  (post clusterrolebindings.rbac.authorization.k8s.io)

Any help would be much appreciated as this is blocking me from creating the permissions needed by my cluster services.

score 34 · Accepted Answer · edited Apr 29 '18 at 03:04

34

Janos's answer will work for GKE clusters that have been created with a password, but I'd recommend avoiding using that password wherever possible (or creating your GKE clusters without a password).

Using IAM: To create that ClusterRoleBinding, the caller must have the container.clusterRoleBindings.create permission. Only the OWNER and Kubernetes Engine Admin IAM Roles contain that permission (because it allows modification of access control on your GKE clusters).

So, to allow person@company.com to run that command, they must be granted one of those roles. E.g.:

gcloud projects add-iam-policy-binding $PROJECT \
  --member=user:person@company.com \
  --role=roles/container.admin

edited Apr 29 '18 at 03:04

Chiranga Alwis

1,049
1
25
47

answered Apr 11 '18 at 21:05

CJ Cullen

5,452
1
26
34

1

From my GCP experience, you not only need this permission (`container.clusterRoleBindings.create`) but also this one `container.clusterRoles.bind`. With this you can create your own custom role and don't need to use the big `Kubernetes Engine Admin` predefined role. Documentation is here : https://cloud.google.com/kubernetes-engine/docs/reference/api-permissions – Arnaud Tournier Nov 21 '18 at 13:36
GCP / GKE: i also needed to add a ClusterRoleBinding inside gke to my user as well to get it working. – sigi Jan 11 '19 at 14:09

Janos Lenart · Answer 2 · 2018-04-08T20:11:55.230

33

If your kubeconfig was created automatically by gcloud then your user is not the all powerful admin user - which you are trying to create a binding for.

Use gcloud container clusters describe <clustername> --zone <zone> on the cluster and look for the password field.

Thereafter execute kubectl --username=admin --password=FROMABOVE create clusterrolebinding ...

edited Apr 08 '18 at 20:11

answered Sep 20 '17 at 08:11

Janos Lenart

25,074
5
73
75

1

I also had to update kubectl to the newest version, before (v1.6) even with this solution I was still getting the same error message. Maybe this helps someone else too. – ecem Oct 03 '17 at 11:25
1

I get `Error: unknown flag: --username` – Alan Cabrera Dec 13 '18 at 15:34

GKE clusterrolebinding for cluster-admin fails with permission error

2 Answers2

Linked