Unknown user error

[null-ref-0000]

E0706 02:04:01.000444 1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:112: Failed to list *v1beta1.Ingress: User "system:serviceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope.: "Unknown user "system:serviceaccount:kube-lego:default"" (get ingresses.extensions)

[munnerz]

Hey - this looks like your local RBAC rules are set up incorrectly. How have you configured RBAC for your kube-lego instance?

Could you post your RoleBinding, Role, ServiceAccount and kube-lego Deployment spec?

[null-ref-0000]

No I haven't configured RBAC for my kube-lego instance. I just followed the GCE example and adapted it to my application.

https://github.com/jetstack/kube-lego/tree/master/examples/gce

Is there a guide for setting up RBAC for kube-lego?

I found this issue which has a rbac.yaml file.

#99

I also found this merge request that has an rbac.yaml:

bf0dd63

However when I attempt to use them I am getting this error:

kubectl apply -f lego/rbac.yaml
clusterrolebinding "kube-lego" created
Error from server (Forbidden): error when creating "lego/rbac.yaml": clusterroles.rbac.authorization.k8s.io "ingress-secret-admin" is forbidden: attempt to grant extra privileges: [{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] [] [secrets] [] []} {[create] [] [secrets] [] []} {[update] [] [secrets] [] []} {[patch] [] [secrets] [] []} {[get] [] [services] [] []} {[create] [] [services] [] []} {[get] [extensions] [ingresses] [] []} {[watch] [extensions] [ingresses] [] []} {[list] [extensions] [ingresses] [] []} {[create] [extensions] [ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[patch] [extensions] [ingresses] [] []}] user=&{myemail@gmail.com [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]

Turns out the error I was receiving in an known issue with GKE 1.6. I resolved by following this article:

get current google identity

$ gcloud info | grep Account
Account: [myname@example.org]

grant cluster-admin to your current identity

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created

https://coreos.com/operators/prometheus/docs/latest/troubleshooting.html

[dbsr]

The rbac in the PR mentioned above wasnt sufficient for our setup (we use GCE ingress).
After adding the required permissions for the 'endpoints' resource which it needed to create a new service it started working.

If needed I can make a PR with the required changes?

[null-ref-0000]

Can you post what permissions you had to add for the endpoints resource?

[webwurst]

@dbsr Could you please add your findings to #99?

[Isaac6702]

I have the same problem and I'm following the example of nginx, some idea of how to solve it?

Error from server (Forbidden): error when creating "nginx/rbac.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{AvilaCorporation2016@gmail.com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]}PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]Error from server (Forbidden): error when creating "nginx/rbac.yaml": roles.rbac.authorization.k8s.io "nginx-ingress-role" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]}] user=&{AvilaCorporation2016@gmail.com [system:authenticated] map[authen ticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]Error from server (Invalid): error when creating "nginx/rbac.yaml": ClusterRoleBinding.rbac.authorization.k8s.io "nginx-ingress-clusterrole-nisa-binding" is invalid: subjects[0].namespace: Required value

[camsjams]

To help people late to this party like me:

1. You may have an outdated K8s configuration if you already had kube-lego working in the past - check out this example and make sure you have all the new RBAC stuff (if you have to add RBAC make sure you add serviceAccountName to your Deployment if it already existed)

2. You might need to run the commands that @keanesf added:
   get current google identity

$ gcloud info | grep Account
Account: [myname@example.org]

grant cluster-admin to your current identity

$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin -- 
user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created

Good luck!

[mike-engel]

To chime in further, the issue I ran into was case-sensitivity with my email!

Running gcloud info | grep Account returned my email in all lowercase. Trying to add the cluster-admin rolebinding just kept returning the same error over and over again.

But, when I looked at the error @Isaac6702 (and I) was getting, I finally noticed that the first letter of my email was capitalized. When I created the cluster-admin clusterrolebinding with the capitalized email, everything started working again.

Hope this helps folks like me banging their head against the wall!

[EIrwin]

For anybody running into this issue, don't overlook @mike-engel recommendation above, its hard to catch but it happened to me as well.