Levelling up your geek-fu
kubernetes gke

Workaround blocked attempt to grant extra privileges on GKE due to RBAC

by funkypenguin 1 min read

While attempting to deploy an awesome set-it-and-forget-it volume snapshot solution for my GKE cryptocurrency mining pool empire, I stumbled across the following error when trying to create the necessary RBAC ClusterRoleBinding:

$ kubectl apply -f rbac.yaml
serviceaccount "k8s-snapshots" unchanged
clusterrolebinding.rbac.authorization.k8s.io "k8s-snapshots" configured
Error from server (Forbidden): error when creating "rbac.yaml": clusterroles.rbac.authorization.k8s.io "k8s-snapshots" is forbidden: attempt to grant extra privileges: <blah blah blah>

Being largely unfamiliar with RBAC, I spent some time reading the docs, only to come to the conclusion that the supplied rbac.yml file was, in fact, correct.

So why was kubectl erroring on the creation of the ClusterRoleBinding?

I found the answer here - according to Google Container Engine docs:

Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions.

This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.

So in order to proceed without error, cluster-admin role should be added to current executing user, eg:

kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin [email protected]

So after I gave my own user the cluster-admin clusterrole…

$ kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin [email protected]
clusterrolebinding.rbac.authorization.k8s.io "your-user-cluster-admin-binding" created

.. I was then able to successfully create the clusterrolebinding to give the k8s-snapshots service account the necessary ClusterRoles to perform its automated snapshots:

$ kubectl apply -f rbac.yaml
serviceaccount "k8s-snapshots" unchanged
clusterrole.rbac.authorization.k8s.io "k8s-snapshots" created
clusterrolebinding.rbac.authorization.k8s.io "k8s-snapshots" configured
The link has been copied!
You’ve successfully subscribed to πŸ§‘β€πŸ’» Funky Penguin
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.