Permission Error while GKE clusterrolebinding for cluster-admin

0 votes

I'm using GCE running Kubernetes with the RBAC permissions enabled. I'm having trouble giving permissions for some of the services. According to the docs, to use the container engine with RBAC state, the user should be able to create authorization roles using the following commands.

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]

But this fails because of lack of permissions:

Error from server (Forbidden): 
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.: 
  "Required \"container.clusterRoleBindings.create\" permission." 
  (post clusterrolebindings.rbac.authorization.k8s.io)

How should I go about doing this?

Sep 3, 2018 in Kubernetes by Damon Salvatore
• 5,980 points
4,181 views

1 answer to this question.

0 votes

If your kubeconfig was created automatically by gcloud then your user is not the all powerful admin user - which you are trying to create a binding for.

In case your kubeconfig was created by google cloud automatically, then your user is not the admin user you're trying to create a binding for. Run gcloud container clusters describe <clustername> --zone <zone> on your cluster and then look for the password field.

and afterwads execute:

kubectl --username=admin --password=FROMABOVE create clusterrolebinding ...
answered Sep 3, 2018 by ajs3033
• 7,300 points
error while trying this.

Error: unknown flag: --username

Examples:
  # Create a ClusterRoleBinding for user1, user2, and group1 using the cluster-admin ClusterRole
  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1

Options:
      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
      --clusterrole='': ClusterRole this ClusterRoleBinding should reference
      --dry-run=false: If true, only print the object that would be sent, without sending it.
      --generator='clusterrolebinding.rbac.authorization.k8s.io/v1alpha1': The name of the API generator to use.
      --group=[]: Groups to bind to the clusterrole
  -o, --output='': Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
      --save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
      --serviceaccount=[]: Service accounts to bind to the clusterrole, in the format <namespace>:<name>
      --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
      --validate=true: If true, use a schema to validate the input before sending it

Usage:
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

unknown flag: --username
Alright, try using --user=username instead of --username=username

Related Questions In Kubernetes

0 votes
1 answer
0 votes
1 answer

“403 Insufficient Permission” while creating a Kubernetes Cluster on Google Cloud instance

To run ./cluster/kube-up.sh, you most likely need compute scope ...READ MORE

answered Aug 28, 2018 in Kubernetes by Kalgi
• 52,360 points
1,191 views
0 votes
1 answer

oci runtime error while running kubernetes on rancher cluster

You need to switch Docker to 1.12.x; ...READ MORE

answered Sep 6, 2018 in Kubernetes by Kalgi
• 52,360 points
1,123 views
+1 vote
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17, 2019 in Others by anonymous
15,295 views
+4 votes
1 answer

Installing Web UI (Dashboard):kubernetes-dashboard on main Ubuntu 16.04.6 LTS (Xenial Xerus) server

Follow these steps: $ kubeadm reset $ kubeadm init ...READ MORE

answered Apr 12, 2019 in Kubernetes by Kalgi
• 52,360 points

reshown Apr 12, 2019 by Kalgi 6,920 views
0 votes
1 answer

Forcing ssl for Kubernetes Ingress on GKE

https://github.com/kubernetes/ingress-gce#frontend-https If you want to block http, you ...READ MORE

answered Sep 6, 2018 in Kubernetes by ajs3033
• 7,300 points
4,185 views
0 votes
2 answers
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP