服务器出错(禁止):创建时出错...:clusterroles.rbac.authorization.k8s.io ...:尝试授予额外权限:

Question

无法创建群集.<>已被指定为"容器引擎管理员"和"容器引擎集群管理员"的角色

Error from server (Forbidden): error when creating "prometheus-
operator/prometheus-operator-cluster-role.yaml":
clusterroles.rbac.authorization.k8s.io "prometheus-operator"
is forbidden: attempt to grant extra privileges: [{[create]
[extensions] [thirdpartyresources] [] []} {[*]
[monitoring.coreos.com] [alertmanagers] [] []} {[*]
[monitoring.coreos.com] [prometheuses] [] []} {[*]
[monitoring.coreos.com] [servicemonitors] [] []} {[*]
[apps] [statefulsets] [] []} {[*] [] [configmaps] [] []}
{[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete]
[] [pods] [] []} {[get] [] [services] [] []} {[create]
[] [services] [] []} {[update] [] [services] [] []} {[get]
[] [endpoints] [] []} {[create] [] [endpoints] [] []}
{[update] [] [endpoints] [] []} {[list] [] [nodes]
[] []} {[watch] [] [nodes] [] []}]
user=&{<<my_account>>@gmail.com
[system:authenticated] map[]} ownerrules=[{[create]
[authorization.k8s.io] [selfsubjectaccessreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/*
/healthz /swaggerapi /swaggerapi/* /version]}]
ruleResolutionErrors=[]

Answer 1

我在Google Kubernetes Engine上遇到了同样的问题.

据答案ENJ和评论ccyang2005请查找以下snipet谁解决我的问题:)

第1步:获取您的身份

gcloud info | grep Account

会输出你喜欢的东西 Account: [myname@example.org]

第2步:将cluster-admin授予您当前的身份

kubectl create clusterrolebinding myname-cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=myname@example.org

会输出类似的东西 Clusterrolebinding "myname-cluster-admin-binding" created

之后,您将能够创建CusterRoles

Answer 2

基于https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control

由于Container Engine在创建Role或ClusterRole时检查权限的方式,您必须首先创建一个RoleBinding,它授予您要创建的角色中包含的所有权限.

一个示例解决方法是创建一个RoleBinding,在尝试创建其他Role或ClusterRolepermissions之前,为您的Google身份提供集群管理员角色.

这是Kubernetes和Container Engine 1.6版中基于角色的访问控制的Beta版本中的已知问题.

因此,您需要将帐户绑定到群集管理员角色.