13

After creating a new GKE cluster, creating a cluster role failed with the following error:

Error from server (Forbidden): error when creating "./role.yaml":
clusterroles.rbac.authorization.k8s.io "secret-reader" is forbidden: 
attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], 
APIGroups:[""], Verbs:["list"]}] user=&{XXX@gmail.com  
[system:authenticated] map[authenticator:[GKE]]} ownerrules= . 
[PolicyRule{Resources:["selfsubjectaccessreviews" 
"selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs: 
["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" 
"/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" 
"/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] 
ruleResolutionErrors=[]

My account has the following permissions in IAM:

Kubernetes Engine Admin

Kubernetes Engine Cluster Admin

Owner

This is my role.yaml (from the Kubernetes docs):

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

According to the RBAC docs of GCloud, I need to

create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.

So I tried this:

export GCP_USER=$(gcloud config get-value account | head -n 1)
kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin --user=$GCP_USER

which succeeded, but I still get the same error when creating the cluster role.

Any ideas what I might be doing wrong?

Community
  • 1
  • 1
Sebastian Rosch
  • 1,033
  • 1
  • 11
  • 17

4 Answers4

11

According to Google Container Engine docs you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

Get current google identity

$ gcloud info | grep Account

Account: [myname@example.org]

Grant cluster-admin to your current identity

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org

Clusterrolebinding "myname-cluster-admin-binding" created

Now you can create your ClusterRole without any problem.

I found the answer in CoreOS FAQ / Troubleshooting check it out for more information.

Manuel Felipe Garcia Rincon
  • 176
  • 1
  • 7
  • 4
    this does not work. I get the error "clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "mail@mydomain.com" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission. – rmpt May 13 '19 at 23:39
  • 4
    You need to be granted the `Kubernetes Engine Admin` role in GKE, it's not enough anylonger with only `Editor`. – norrs Aug 01 '19 at 07:56
4

@S.Heutmaker`s comment led me to the solution.

For me, the solution was to create the cluster-admin-binding with the correct casing on the email address. Check the casing in error message or google cloud console IAM

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=MyName@example.org
RauBan
  • 73
  • 1
  • 6
1

That's the correct solution. Is the GCP_USER obtained the same as the XXX@gmail.com username in the role creation error message?

Jordan Liggitt
  • 16,933
  • 2
  • 56
  • 44
0

If you got the casing right, try to add both googlemail domain variants (i.e. @gmail.com and @googlemail.com). For me gcloud info | grep Account returned <name>@googlemail.com but I had to create a clusterrole binding with <name>@gmail.com for the command to work.

lordvlad
  • 5,200
  • 1
  • 24
  • 44