Permission Error while GKE clusterrolebinding for cluster-admin

0 votes

I'm using GCE running Kubernetes with the RBAC permissions enabled. I'm having trouble giving permissions for some of the services. According to the docs, to use the container engine with RBAC state, the user should be able to create authorization roles using the following commands.

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]

But this fails because of lack of permissions:

Error from server (Forbidden): 
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.: 
  "Required \"container.clusterRoleBindings.create\" permission." 
  (post clusterrolebindings.rbac.authorization.k8s.io)

How should I go about doing this?

Sep 3, 2018 in Kubernetes by Damon Salvatore
• 5,510 points
693 views

1 answer to this question.

0 votes

If your kubeconfig was created automatically by gcloud then your user is not the all powerful admin user - which you are trying to create a binding for.

In case your kubeconfig was created by google cloud automatically, then your user is not the admin user you're trying to create a binding for. Run gcloud container clusters describe <clustername> --zone <zone> on your cluster and then look for the password field.

and afterwads execute:

kubectl --username=admin --password=FROMABOVE create clusterrolebinding ...
answered Sep 3, 2018 by ajs3033
• 7,280 points
error while trying this.

Error: unknown flag: --username

Examples:
  # Create a ClusterRoleBinding for user1, user2, and group1 using the cluster-admin ClusterRole
  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1

Options:
      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
      --clusterrole='': ClusterRole this ClusterRoleBinding should reference
      --dry-run=false: If true, only print the object that would be sent, without sending it.
      --generator='clusterrolebinding.rbac.authorization.k8s.io/v1alpha1': The name of the API generator to use.
      --group=[]: Groups to bind to the clusterrole
  -o, --output='': Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
      --save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
      --serviceaccount=[]: Service accounts to bind to the clusterrole, in the format <namespace>:<name>
      --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
      --validate=true: If true, use a schema to validate the input before sending it

Usage:
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

unknown flag: --username
Alright, try using --user=username instead of --username=username

Related Questions In Kubernetes

0 votes
1 answer

“403 Insufficient Permission” while creating a Kubernetes Cluster on Google Cloud instance

To run ./cluster/kube-up.sh, you most likely need compute scope ...READ MORE

answered Aug 28, 2018 in Kubernetes by Kalgi
• 40,420 points
126 views
0 votes
1 answer

oci runtime error while running kubernetes on rancher cluster

You need to switch Docker to 1.12.x; ...READ MORE

answered Sep 6, 2018 in Kubernetes by Kalgi
• 40,420 points
93 views
0 votes
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17 in Others by anonymous
2,051 views
+3 votes
1 answer
0 votes
1 answer

Forcing ssl for Kubernetes Ingress on GKE

https://github.com/kubernetes/ingress-gce#frontend-https If you want to block http, you ...READ MORE

answered Sep 6, 2018 in Kubernetes by ajs3033
• 7,280 points
1,149 views