集群管理员的 GKE 集群角色绑定失败并显示权限错误 [英] GKE clusterrolebinding for cluster-admin fails with permission error

问题描述

我刚刚使用运行 Kubernetes 1.7.5 的 Google Container Engine 创建了一个新集群，并启用了新的 RBAC 权限.我在为我的某些服务分配权限时遇到了问题，导致我出现以下情况:

I've just created a new cluster using Google Container Engine running Kubernetes 1.7.5, with the new RBAC permissions enabled. I've run into a problem allocating permissions for some of my services which lead me to the following:

将容器引擎与 RBAC 结合使用的文档声明必须通过运行以下命令授予用户创建授权角色的能力:

The docs for using container engine with RBAC state that the user must be granted the ability to create authorization roles by running the following command:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]

然而，这由于缺乏权限而失败(我认为这与我们试图通过运行上述命令授予的权限完全相同).

However, this fails due to lack of permissions (which I would assume are the very same permissions which we are attempting to grant by running the above command).

Error from server (Forbidden): 
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.: 
  "Required "container.clusterRoleBindings.create" permission." 
  (post clusterrolebindings.rbac.authorization.k8s.io)

非常感谢任何帮助，因为这会阻止我创建集群服务所需的权限.

Any help would be much appreciated as this is blocking me from creating the permissions needed by my cluster services.

推荐答案

Janos 的回答适用于使用密码创建的 GKE 集群，但我建议尽可能避免使用该密码(或创建您的 GKE 集群而不使用密码)密码).

Janos's answer will work for GKE clusters that have been created with a password, but I'd recommend avoiding using that password wherever possible (or creating your GKE clusters without a password).

使用 IAM:要创建该 ClusterRoleBinding，调用者必须具有 container.clusterRoleBindings.create 权限.只有 OWNER 和 Kubernetes Engine Admin IAM 角色包含该权限(因为它允许修改 GKE 集群上的访问控制).

Using IAM: To create that ClusterRoleBinding, the caller must have the container.clusterRoleBindings.create permission. Only the OWNER and Kubernetes Engine Admin IAM Roles contain that permission (because it allows modification of access control on your GKE clusters).

因此，要允许 person@company.com 运行该命令，他们必须被授予这些角色之一.例如:

So, to allow person@company.com to run that command, they must be granted one of those roles. E.g.:

gcloud projects add-iam-policy-binding $PROJECT 
  --member=user:person@company.com 
  --role=roles/container.admin

这篇关于集群管理员的 GKE 集群角色绑定失败并显示权限错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！