1

I cannot apply this ClusterRole to my admin cluster to add rbac.authorization, I have used the same yaml file without problem for my user cluster.

How I solve the problem ?

Could be a problem of my kubeconfig file ?

ubuntu@anth-mgt-wksadmin:~$ cat cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloud-console-reader
rules:
apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]

ubuntu@anth-mgt-wksadmin:~$ kubectl apply -f cloud-console-reader.yaml --kubeconfig kubeconfig
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind:    rbac.authorization.k8s.io/v1, Kind=ClusterRole" Name: "cloud-console-reader", Namespace: ""
from server for: "cloud-console-reader.yaml": clusterroles.rbac.authorization.k8s.io "cloud-console-reader" is forbidden: User "system:node:anth-admin-host1" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope


ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes --kubeconfig kubeconfig
NAME STATUS ROLES AGE VERSION
anth-admin-host1 Ready control-plane,master 7d4h v1.20.5-gke.1301
anth-admin-host3 Ready 3h50m v1.20.5-gke.1301
anth-admin-host4 Ready 6d7h v1.20.5-gke.1301
anth-admin-host5 Ready 3h48m v1.20.5-gke.1301

ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump --kubeconfig kubeconfig |tail -1
Error from server (Forbidden): events is forbidden: User "system:node:anth-admin-host1" cannot list resource "events" in API group "" in the namespace "kube-system"

}

Syscall
  • 19,327
  • 10
  • 37
  • 52
andrea ciuffoli
  • 151
  • 10

2 Answers2

1

Solved the problem.

I have copied the admin.conf file from one admin cluster node to the admin workstation and renamed to kubeconfig

root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters:

all ok now!

andrea ciuffoli
  • 151
  • 10
0

I tried reformatting your YAML file in my environment and noticed that some indentation changes can resolve your errors:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Metadata:
 name: cloud-console-reader
rules:
-  apiGroups: [""] 
   resources: ["nodes", "persistentvolumes"]
   verbs: ["get", "list", "watch"] 
   apiGroups: ["storage.k8s.io"] 
   resources: ["storageclasses"] 
   verbs: ["get", "list", "watch"]

Points to be noted:

  1. Clusterrole can also be created in one liner using kubectl:

    kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

  2. Make sure that RBAC should be enabled.

  3. If RBAC is enabled and the deployment-controller is missing a service account defined in the deployment-controller pod(s). You should be able to easily mitigate this issue by adding this SA and its Roles/Bindings.Two ways to do it, You can create the binding with simple one liner or YAML way:

    To grant the permissions as "cluster-admin" ClusterRole to a user named "root".

    kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root

  4. kubeconfig file can be either from a trusted resource or specially-crafted. Here are some steps to craft a kubeconfig file. There can also be a possibility of merging of kubeconfig files.

Tomerikoo
  • 18,379
  • 16
  • 47
  • 61
Goli Nikitha
  • 858
  • 3
  • 9
  • Sorry but I don't understand how to solve the error: User "system:node:anth-admin-host1" cannot list resource "events" in API group – andrea ciuffoli Aug 08 '21 at 04:45
  • You probably need to bind the dashboard service account to the cluster admin role Otherwise, the dashboard services account doesn't have access to the data that would populate the dashboard.[source](https://stackoverflow.com/questions/59605085/pods-is-forbidden-user-systemserviceaccountkubernetes-dashboardadmin-user) – Goli Nikitha Aug 08 '21 at 12:39