manifest fails on Azure ("attempt to grant extra privileges")

[Globegitter]

After fixing the error mentioned in #16 I get the following error:

Error from server (Forbidden): error when creating "controller.yaml": roles.rbac.authorization.k8s.io "sealed-secrets-key-admin" is forbidden: attempt to grant extra privileges: [{[get] [] [secrets] [sealed-secrets-key] []} {[create] [] [secrets] [] []}] user=&{client  [system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "controller.yaml": clusterroles.rbac.authorization.k8s.io "secrets-unsealer" is forbidden: attempt to grant extra privileges: [{[get] [ksonnet.io] [sealedsecrets] [] []} {[list] [ksonnet.io] [sealedsecrets] [] []} {[watch] [ksonnet.io] [sealedsecrets] [] []} {[create] [] [secrets] [] []} {[update] [] [secrets] [] []} {[delete] [] [secrets] [] []}] user=&{client  [system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

I have just created a fresh cluster on azure, via acs-engine running on k8s 1.6.6 - not quite sure where the issues is.

[Globegitter]

Ah, I think Azure/acs-engine#680 is probably the issue here.

[anguslees]

Thanks for reporting the issue. I did wonder whether including the RBAC rules by default would cause problems for anyone, and it seems "yes" :(

The easy workaround is to download the controller.yaml and remove all the RBAC rules. Please let me know if https://gist.github.com/anguslees/cd81816ada739258dd493114818753a6 works for you (actually verify that it can create secrets, etc not just that kubectl create works). If it's useful, I can include this simpler manifest in future releases.

[Globegitter]

@anguslees Yeah including that in future releases would indeed be useful, at least for a while, at some point it would probably good to push everyone to use RBAC. Anyway, I updated your snippet to 0.3.0 and then ran the commands from the readme and all working. Thanks for posting this so quickly.