Unable to create kubeip-sa ClusterRole in GKE
nccurry opened this issue · comments
I am unable to create the following yaml definition in GKE:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubeip-sa
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch","patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list","watch"]
I am seeing the following error with kubectl apply -f test.yml
Error from server (Forbidden): error when creating "test.yml": clusterroles.rbac.authorization.k8s.io "kubeip-sa" is forbidden: attempt to grant extra privileges: [{[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[patch] [] [nodes] [] []} {[get] [] [pods] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []}] user=&{108986779098263313539 [system:authenticated] map[user-assertion.cloud.google.com:[AKUJVpkfdwSx+bWxo/aF+P5w9CGBq35lpuQHLrR6UoSqiHrAfH+K9HscFiH+0lA2EHESVwnigsnTJt6n3dC5xZSzO51HzAZTxIneD23JR7FOoLiT2cdi5EIyBNdaT7zX/kqBkLiYRTnQYa5NKFARsyVPk9Ql2GyOwv38udtfDoWky0JXIsFsS1Soqsiu/bwlFWwrL0jDpYK1gs5hVPYRat+ncQjZIkjy0OXntqXyQg==]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
The service account I am using for this has already been granted cluster-admin
$ gcloud config list --format 'value(core.account)'
terraform@project.iam.gserviceaccount.com
$ kubectl describe clusterrolebinding terraform-cluster-admin-binding
Name: terraform-cluster-admin-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User terraform@project.iam.gserviceaccount.com
I am not sure if this is an issue with GKE RBAC or with the specific permissions in the clusterrole?
Clearing out my ~/.kube directory seems to have solved the issue.