创建新的 GKE 集群后,创建集群角色失败并显示以下错误:
Error from server (Forbidden): error when creating "./role.yaml":
clusterroles.rbac.authorization.k8s.io "secret-reader" is forbidden:
attempt to grant extra privileges: [PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["list"]}] user=&{XXX@gmail.com
[system:authenticated] map[authenticator:[GKE]]} ownerrules= .
[PolicyRule{Resources:["selfsubjectaccessreviews"
"selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:
["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis"
"/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json"
"/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}]
ruleResolutionErrors=[]
我的账户在 IAM 中具有以下权限:Kubernetes Engine Admin
Kubernetes Engine Cluster Admin
Owner
这是我的
role.yaml
(来自 Kubernetes docs) :kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
根据RBAC docs of GCloud ,我需要create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.
所以我尝试了 this :
export GCP_USER=$(gcloud config get-value account | head -n 1)
kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin --user=$GCP_USER
成功了,但在创建集群角色时我仍然遇到相同的错误。任何想法我可能做错了什么?
最佳答案
根据 Google Container Engine docs您必须首先创建一个 RoleBinding,它授予您要创建的角色中包含的所有权限。
获取当前的谷歌身份
$ gcloud info | grep Account
Account: [myname@example.org]
将 cluster-admin 授予您当前的身份
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created
现在您可以毫无问题地创建您的 ClusterRole。
我在 CoreOS 中找到了答案 FAQ / Troubleshooting查看更多信息。
关于kubernetes - 即使我是所有者和管理员,也无法在 GKE 中创建集群角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49844783/