无法在新的GKE群集上创建clusterrolebinding [英] Cannot create clusterrolebinding on fresh GKE cluster

问题描述

我配置了具有基本身份验证 disabled 的托管GKE群集(Kubernetes版本1.9.4-gke.1).当我尝试创建RBAC配置(用于运行入口控制器)时，出现以下错误: Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "XXX@gmail.com" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission.

I provisioned a managed GKE cluster (Kubernetes version 1.9.4-gke.1) with basic authentication disabled. When i try to create RBAC configuration (for running my ingress controller) I get a following error: Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "XXX@gmail.com" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission.

我发现了两个相关的问题:

I found two related questions:

1. 针对集群管理员的GKE clusterrolebinding失败，出现权限错误
2. 用户"xxx"无法在集群范围内创建clusterrolebindings.rbac.authorization.k8s.io

1. GKE clusterrolebinding for cluster-admin fails with permission error
2. User "xxx" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope

第一个包含针对群集启用基本身份验证的解决方案，这不是我的情况.第二个问题没有答案.

First one contains a solution when basic authentication is enabled for the cluster which is not my case. And second question does not have an answer.

我的用户不是GCP项目的所有者，但在项目中具有editor角色.我发现其他观察到了这种行为.

My user is not owner of the GCP project but it has editor role in the project. I found that this behavior was observed by others.

请告知当禁用基本身份验证的群集如何在GKE群集上添加缺少的权限或以其他方式定义的RBAC.

Please, advise how can I add the missing permission or otherwise defined RBAC on the GKE cluster when the cluster has basic authentication disabled.

推荐答案

要创建该ClusterRoleBinding，调用者必须通过GCP IAM具有container.clusterRoleBindings.create权限.只有OWNER和Kubernetes Admin IAM角色包含该权限(因为它允许修改GKE群集上的访问控制).

To create that ClusterRoleBinding, the caller must have container.clusterRoleBindings.create permission through GCP IAM. Only the OWNER and Kubernetes Admin IAM Roles contain that permission (because it allows modification of access control on your GKE clusters).

因此，要允许person@company.com运行该命令，必须被授予这些角色之一.我建议使用Kubernetes Admin角色.

So, to allow person@company.com to run that command, they must be granted one of those roles. I'd recommend the Kubernetes Admin role.:

gcloud projects add-iam-policy-binding $PROJECT --member=user:person@company.com --role=roles/container.admin

这篇关于无法在新的GKE群集上创建clusterrolebinding的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！