23

Failed to create clusterroles. <> already assigned as the roles of "container engine admin" & "container engine cluster admin"

Error from server (Forbidden): error when creating "prometheus-
operator/prometheus-operator-cluster-role.yaml":
clusterroles.rbac.authorization.k8s.io "prometheus-operator"
is forbidden: attempt to grant extra privileges: [{[create]
[extensions] [thirdpartyresources] [] []} {[*]
[monitoring.coreos.com] [alertmanagers] [] []} {[*]
[monitoring.coreos.com] [prometheuses] [] []} {[*]
[monitoring.coreos.com] [servicemonitors] [] []} {[*]
[apps] [statefulsets] [] []} {[*] [] [configmaps] [] []}
{[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete]
[] [pods] [] []} {[get] [] [services] [] []} {[create]
[] [services] [] []} {[update] [] [services] [] []} {[get]
[] [endpoints] [] []} {[create] [] [endpoints] [] []}
{[update] [] [endpoints] [] []} {[list] [] [nodes]
[] []} {[watch] [] [nodes] [] []}]
user=&{<<my_account>>@gmail.com
[system:authenticated] map[]} ownerrules=[{[create]
[authorization.k8s.io] [selfsubjectaccessreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/*
/healthz /swaggerapi /swaggerapi/* /version]}]
ruleResolutionErrors=[]
030
  • 10,842
  • 12
  • 78
  • 123
ccyang2005
  • 281
  • 1
  • 3
  • 6

2 Answers2

46

I've got the same problem on Google Kubernetes Engine.

According to the answer of enj and the comment of ccyang2005 please find the following snipet who solve my problem :)

Step 1 : Get your identity

gcloud info | grep Account

Will output you something like Account: [myname@example.org]

Step 2 : grant cluster-admin to your current identity

kubectl create clusterrolebinding myname-cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=myname@example.org

Will output somthing like Clusterrolebinding "myname-cluster-admin-binding" created

After that, you'll be able to create CusterRoles

alphayax
  • 2,930
  • 2
  • 25
  • 25
12

Based on https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control

Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRolepermissions.

This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.

So you need to bind your account to a cluster admin role.

monis
  • 496
  • 4
  • 10
  • 3
    Tks. I have fixed this issue by following this article: https://coreos.com/operators/prometheus/docs/latest/troubleshooting.html – ccyang2005 Jun 05 '17 at 13:13
  • 2
    Inspite of the cluster admin role binding, i get same error. – NSP Aug 10 '17 at 09:17
  • 1
    I am also still getting the error with the binding. =\ – quest Mar 05 '18 at 06:53
  • 1
    but if you have the role `roles/owner` you are supposed to have every rights, so it should work without adding to yourself a `roles/container.clusterAdmin` or whatever, right ? – Sylver Dec 03 '18 at 14:19
  • 1
    This no longer works on GKE, even if the service account is `roles/container.clusterAdmin` from IAM. I'm about to drop GKE. – Alexander Kleinhans Mar 09 '19 at 20:48
  • If you are using a service account, the way to make this work is "gcloud iam service-accounts describe service-acc-name" followed by "kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=uniqueid" where uniqueid you can get from the output of the first command. Sorry about the (non existent) formatting. – talonx May 03 '19 at 10:08