Skip to content
This repository has been archived by the owner on Feb 16, 2019. It is now read-only.

Istio RBAC install failed on RBAC cluster #4

Closed
saturnism opened this issue May 22, 2017 · 9 comments
Closed

Istio RBAC install failed on RBAC cluster #4

saturnism opened this issue May 22, 2017 · 9 comments
Assignees
@costinm @andraxylia

Comments

@saturnism
Copy link

Running Kubernetes 1.6.2 on GKE

it looks like rbac is supported:

$ kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1beta1

error when applying istio-rbac-beta.yaml

$ kubectl apply -f install/kubernetes/istio-rbac-beta.yaml
rolebinding "istio-manager-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured
Error from server (Forbidden): error when creating "install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-manager" is forbidden: attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] []} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] [thirdpartyresources] [] []} {[*] [extensions] [thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] [] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] [pods] [] []} {[*] [] [services] [] []}] user=&{...@gmail.com  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden: attempt to grant extra privileges: [{[create] [] [secrets] [] []} {[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] [] [secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] [serviceaccounts] [] []}] user=&{...@gmail.com  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden: attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] [] []} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io] [istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []} {[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions] [thirdpartyresources] [] []} {[get] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] [configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []} {[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services] [] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] user=&{...@gmail.com  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]
@saturnism
Copy link
Author

Had to use admin user w/ client cert to fetch the credential, then the errors went a way :/

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud container clusters get-credentials ...

@costinm
Copy link

costinm commented May 24, 2017

Yes, I think this is working as intended, granting permissions requires admin user. We may need to document it better ( or k8s RBAC docs should make it more obvious ).

@yiakwy
Copy link

yiakwy commented Jul 30, 2017
edited

@saturnism I encountered the same problem but I don't understand

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud container clusters get-credentials

It is a not command. What are you talking about?

@andraxylia
Copy link

This is a gcloud command if you use GKE (Google Container Engine).

There have been many changes in RBAC since then, and it was fixed in the master. I suggest to take the latest istio-rbac-beta.yaml file from the master branch.

@yiakwy
Copy link

yiakwy commented Jul 30, 2017
edited

@andraxylia I am sure that

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud container clusters get-credentials

Is NOT a valid gcloud command even you set

CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True

in a .bashprofile. the syntax is

"gcloud container clusters get-credentials" + some service name.

It was not clear.

@yiakwy
Copy link

yiakwy commented Jul 30, 2017

Perhaps you might as well set

gcloud beta container clusters get-credentials
instead after set CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True.

@saturnism
Copy link
Author

This needs to be re-opened. It seems like we may have lost it from the doc. Need to add admin user explicitly to the role binding:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=me@email.com

@ZackButcher
Copy link

Looks like this crept back with our 0.2 docs, we need to go restore this bit of info.

@ZackButcher ZackButcher reopened this Sep 25, 2017
@ldemailly ldemailly mentioned this issue Sep 30, 2017
Merged
@ldemailly
Copy link
Contributor

This is fixed in istio/istio.io#569
mentioned in https://istio.io/docs/setup/kubernetes/quick-start.html#prerequisites

@stunn3r-kloud stunn3r-kloud mentioned this issue May 7, 2018
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@costinm costinm

@andraxylia andraxylia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@costinm @ZackButcher @saturnism @ldemailly @rshriram @yiakwy @andraxylia @jasminejaksic-zz