Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document GKE cluster RBAC setup #564

Closed
tamalsaha opened this issue Oct 4, 2017 · 4 comments

Comments

@tamalsaha
Copy link
Member

commented Oct 4, 2017

  • RBAC
  • Failed to open Firewall
 $ kubectl describe ingress.voyager.appscode.com -n connexi api
voyager operator        Warning        FirewallUpdateFailed    Failed to ensure firewall, googleapi: Error 403: Required 'compute.instances.list' permission for 'projects/projectname', forbidden
@tamalsaha tamalsaha added the bug label Oct 4, 2017
@leonth

This comment has been minimized.

Copy link

commented Oct 4, 2017

We fixed this by:

  • finding the service account associated with the GCE instance created by GKE
  • adding the role "Compute Admin" to that service account
@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented Oct 5, 2017

@leonth , I found https://github.com/jcbsmpsn/gke-rbac-walkthrough which seems to explain how to get RBAC working with S/A roles in GKE.

@tamalsaha tamalsaha added this to the 4.1.0 milestone Oct 12, 2017
@perplexa

This comment has been minimized.

Copy link

commented Oct 26, 2017

It should work after you set either

gcloud config set container/use_client_certificate true

or

export CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=true

and then fetch your cluster's credentials again with gcloud container clusters get-credentials before applying the RBAC manifests.

@tamalsaha tamalsaha changed the title GKE cluster issues Document GKE cluster RBAC setup Nov 16, 2017
@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented Jan 13, 2018

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=google-email-addr

https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control?hl=en_US

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.