0

I believe I have followed this guide: https://medium.com/@hobochild/installing-cert-manager-on-a-gcloud-k8s-cluster-d379223f43ff

which, has me install the without-rbac version of cert-manager from this repo: https://github.com/jetstack/cert-manager

however when the cert-manager pod boots up it starts spamming this error: leaderelection.go:224] error retrieving resource lock cert-manager/cert-manager-controller: configmaps "cert-manager-controller" is forbidden: User "system:serviceaccount:cert-manager:default" cannot get configmaps in the namespace "cert-manager": Unknown user "system:serviceaccount:cert-manager:default"

Hoping someone has some ideas.

dany L
  • 2,456
  • 6
  • 12
kahsm
  • 67
  • 7
  • Did you ever figure this out? – Tyler Jones Aug 29 '18 at 00:11
  • Yes, I did, and it works great. Turns out I needed to set it up with RBAC. Maybe the guide was old. You need to install with RBAC, which is what that error was telling me, just as james said below. – kahsm Oct 31 '18 at 12:37

2 Answers2

1

The errors seem to be coming from RBAC. If you're running this in minikube you can grant the default service account in the cert-manager namespace the proper rights by running:

kubectl create clusterrolebinding cert-manager-cluster-admin --clusterrole=cluster-admin --serviceaccount=cert-manager:default

After creating the role binding, cert-manager should complete its startup.

ctt
  • 1,405
  • 8
  • 18
0

You should use the 'with-rbac.yaml' variant if you are installing in GKE, unless you have explicitly disabled RBAC on the GKE cluster!

This should resolve the issues you're seeing here, as by the looks of your error message, you do have RBAC enabled!

James Munnelly
  • 103
  • 4