创建ClusterRole作为默认计算服务帐户失败，并显示额外的权限错误 [英] Creating a ClusterRole as the default compute service account fails with extra privileges error

问题描述

我正在尝试从Jumpbox管理的私有集群中创建一个新的ClusterRole，但始终出现禁止:尝试授予额外的特权"错误.

I'm trying to create a new ClusterRole in a Private Cluster which I'm administering from a Jumpbox but keep hitting the "forbidden: attempt to grant extra privileges" error.

我已通过gcloud身份验证为默认的计算服务帐户，并且具有Kubernetes Engine管理员角色.

I am authenticated with gcloud as the default compute service account and this has the Kubernetes Engine Admin role.

我使用以下方法为gcloud服务帐户创建了群集角色绑定

I have created a cluster role binding for the gcloud service account using

kubectl create ClusterRoleBinding sa-admin-binding --ClusterRole=cluster-admin --User=xxxxxxxx-service-account@xxxx.developer.gserviceaccount.com

但是，当我尝试创建群集角色时，出现以下错误.

When i try to create the cluster role however I get the following error.

来自服务器的错误(禁止):创建"role.yml"时出错: clusterroles.rbac.authorization.k8s.io禁止使用"pod-viewer": 尝试授予额外的特权:[{[list] [] [pods] [] []}] user =& { 115268482330004182284 [系统:已验证] 地图[user-assertion.cloud.google.com:[AKUJVpkbsn ........

Error from server (Forbidden): error when creating "role.yml": clusterroles.rbac.authorization.k8s.io "pod-viewer" is forbidden: attempt to grant extra privileges: [{[list] [] [pods] [] []}] user=&{115268482330004182284 [system:authenticated] map[user-assertion.cloud.google.com:[AKUJVpkbsn........

我不明白的是为什么错误会以编号"用户帐户而不是通过身份验证的服务帐户返回.

What I don't understand is why the error comes back with a 'numbered' user account as opposed to the service account I'm authenticated with.

我可以使用我自己的gmail帐户将ClusterRoleBinding添加到cluster-admin，使用我自己的帐户进行身份验证，然后创建新角色而不会出现问题，但是可以为服务帐户添加clusterrolebinding，并且可以通过该服务帐户进行身份验证似乎授予了创建角色的权限.

I can add the ClusterRoleBinding to cluster-admin using my own gmail account, authenticate with my own account and then create the new role without problem, but adding the clusterrolebinding for a service account, and authenticating as that service account doesn't seem to grant the permission to create the role.

有趣的是，我可以在上面的错误中使用带编号的帐户添加clusterrolebinding，它也可以工作，但由于我不知道该编号是什么，也不知道它来自何方，因此无法帮助我编写设置脚本.

Interestingly I can add the clusterrolebinding using the numbered account in the error above and that also works but doesn't help me to script the setup as I don't know what that number is in advance nor where it's coming from.

推荐答案

好...后来，我发现编号的帐户实际上是gclouds IAM控制台中服务帐户的"uniqueId".不知道为什么要为服务帐户使用它，而对于用户帐户为什么要使用电子邮件地址，但这就是我现在正在使用的地址.

well...I later found that the numbered account was actually the 'uniqueId' of the Service Account in gclouds IAM console. Not sure why for service accounts it uses that but for user accounts it uses the email address but here's what I'm now using..

CLUSTER_ADMIN_ID=`gcloud iam service-accounts describe <my-service-account>@<my-project>.iam.gserviceaccount.com --format="value(uniqueId)"`

跟着

kubectl create ClusterRoleBinding <mybinding>-cluster-admin --clusterrole=cluster-admin --user=$CLUSTER_ADMIN_ID

这使服务帐户现在可以管理群集.

and this allows the service account to now administer the cluster.

这篇关于创建ClusterRole作为默认计算服务帐户失败，并显示额外的权限错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！