Traefik RBAC permission forbidden
ludvi...@gmail.com
Using master version 1.7.8-gke.0 and Node version: 1.7.6 and my role is Owner of the project.
When i'm trying to give permissions to the traefik ingress controller I receive this error:
Error from server (Forbidden):
error when creating "traefik-rbac.yaml":
clusterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden:
attempt to grant extra privileges:
[PolicyRule{Resources:["pods"], APIGroups:[""],Verbs:["get"]}
PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]}
PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]}
PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]}
PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]}
PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]}
PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]}
PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]}
PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]}
PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]}
PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]}
PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]}
PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]}
PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]}
PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}]
user=&{mye...@redacted.com [system:authenticated] map[]}
ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"],
APIGroups:["authorization.k8s.io"], Verbs:["create"]}
PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"],
Verbs:["get"]}] ruleResolutionErrors=[]
I have followed along with the guide here and still receive the error:
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
This is how my yaml file looks like:
# traefik-rbac.yml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
zl...@slb.com
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]
Kiran G
On Friday, January 5, 2018 at 8:27:32 PM UTC, zl...@slb.com wrote:
I had similar problem earlier, and resolved it by grant my user account the ability to create authorization roles with command:kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]
Punit Agrawal
Kiran G
Kiran
Did you create the cluster admin role for yourself? Are you using helm to install this?
On Wednesday, August 1, 2018 at 5:37:57 AM UTC-7, Kiran G wrote:Reply inline.
On Friday, January 5, 2018 at 8:27:32 PM UTC, zl...@slb.com wrote:I had similar problem earlier, and resolved it by grant my user account the ability to create authorization roles with command:kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]
[Kiran] I tried the above and I am still getting the same error. Has anyone found a solution for this?
--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.