Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio installation permission issue at GKE when following documentation #2814

Closed
lukas-lansky opened this issue Dec 31, 2018 · 8 comments
Closed

Istio installation permission issue at GKE when following documentation #2814

lukas-lansky opened this issue Dec 31, 2018 · 8 comments
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug. kind/doc Something isn't clear kind/question Further information is requested lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@lukas-lansky
Copy link

lukas-lansky commented Dec 31, 2018
edited

Expected Behavior

Going through https://github.com/knative/docs/blob/master/install/Knative-with-GKE.md should get me a nice new cluster with functional Knative.

Actual Behavior

The Istio installation step results with:

PS C:\Source> kubectl apply --filename https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml
namespace "istio-system" created
configmap "istio-galley-configuration" created
configmap "istio-statsd-prom-bridge" created
configmap "istio-security-custom-resources" created
configmap "istio" created
configmap "istio-sidecar-injector" created
serviceaccount "istio-galley-service-account" created
serviceaccount "istio-egressgateway-service-account" created
serviceaccount "istio-ingressgateway-service-account" created
serviceaccount "istio-mixer-service-account" created
serviceaccount "istio-pilot-service-account" created
serviceaccount "istio-cleanup-secrets-service-account" created
clusterrolebinding.rbac.authorization.k8s.io "istio-cleanup-secrets-istio-system" created
job.batch "istio-cleanup-secrets" created
serviceaccount "istio-citadel-service-account" created
serviceaccount "istio-sidecar-injector-service-account" created
customresourcedefinition.apiextensions.k8s.io "virtualservices.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "destinationrules.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "serviceentries.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "gateways.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "envoyfilters.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "httpapispecbindings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "httpapispecs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotaspecbindings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotaspecs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rules.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "attributemanifests.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "bypasses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "circonuses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "deniers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "fluentds.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "kubernetesenvs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "listcheckers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "memquotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "noops.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "opas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "prometheuses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rbacs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "redisquotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicecontrols.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "signalfxs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "solarwindses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "stackdrivers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "statsds.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "stdios.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "apikeys.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "authorizations.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "checknothings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "kuberneteses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "listentries.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "logentries.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "edges.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "metrics.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "reportnothings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicecontrolreports.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "tracespans.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rbacconfigs.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "serviceroles.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicerolebindings.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "adapters.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "instances.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "templates.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "handlers.config.istio.io" created
clusterrolebinding.rbac.authorization.k8s.io "istio-galley-admin-role-binding-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-egressgateway-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-ingressgateway-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-mixer-admin-role-binding-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-pilot-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-citadel-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-sidecar-injector-admin-role-binding-istio-system" created
service "istio-galley" created
service "istio-egressgateway" created
service "istio-ingressgateway" created
service "istio-policy" created
service "istio-telemetry" created
service "istio-statsd-prom-bridge" created
deployment.extensions "istio-statsd-prom-bridge" created
service "istio-pilot" created
service "istio-citadel" created
service "istio-sidecar-injector" created
deployment.extensions "istio-galley" created
deployment.extensions "istio-egressgateway" created
deployment.extensions "istio-ingressgateway" created
deployment.extensions "istio-policy" created
deployment.extensions "istio-telemetry" created
deployment.extensions "istio-pilot" created
deployment.extensions "istio-citadel" created
deployment.extensions "istio-sidecar-injector" created
gateway.networking.istio.io "istio-autogenerated-k8s-ingress" created
horizontalpodautoscaler.autoscaling "istio-egressgateway" created
horizontalpodautoscaler.autoscaling "istio-ingressgateway" created
horizontalpodautoscaler.autoscaling "istio-policy" created
horizontalpodautoscaler.autoscaling "istio-telemetry" created
horizontalpodautoscaler.autoscaling "istio-pilot" created
mutatingwebhookconfiguration.admissionregistration.k8s.io "istio-sidecar-injector" created
attributemanifest.config.istio.io "istioproxy" created
attributemanifest.config.istio.io "kubernetes" created
stdio.config.istio.io "handler" created
logentry.config.istio.io "accesslog" created
logentry.config.istio.io "tcpaccesslog" created
rule.config.istio.io "stdio" created
rule.config.istio.io "stdiotcp" created
metric.config.istio.io "requestcount" created
metric.config.istio.io "requestduration" created
metric.config.istio.io "requestsize" created
metric.config.istio.io "responsesize" created
metric.config.istio.io "tcpbytesent" created
metric.config.istio.io "tcpbytereceived" created
prometheus.config.istio.io "handler" created
rule.config.istio.io "promhttp" created
rule.config.istio.io "promtcp" created
kubernetesenv.config.istio.io "handler" created
rule.config.istio.io "kubeattrgenrulerule" created
rule.config.istio.io "tcpkubeattrgenrulerule" created
kubernetes.config.istio.io "attributes" created
destinationrule.networking.istio.io "istio-policy" created
destinationrule.networking.istio.io "istio-telemetry" created
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-cleanup-secrets-istio-system" is forbidden: attempt to grant extra privileges: [{[list] [] [secrets] [] []} {[delete] [] [secrets] [] []}] user=&{
Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL
+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-galley-istio-system" is forbidden: attempt to grant extra privileges: [{[*] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []
} {[get] [config.istio.io] [*] [] []} {[list] [config.istio.io] [*] [] []} {[watch] [config.istio.io] [*] [] []} {[get] [*] [deployments] [istio-galley] []} {[get] [*] [endpoints] [istio-galley] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M
2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-egressgateway-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [extensions] [thirdpartyresources] [] []} {[watch] [extension
s] [thirdpartyresources] [] []} {[list] [extensions] [thirdpartyresources] [] []} {[update] [extensions] [thirdpartyresources] [] []} {[get] [extensions] [virtualservices] [] []} {[watch] [extensions] [virtualservices] [] []} {[list] [extensions] [virtualservices] [] []} {[update] [extensions] [virtualservices] [] [
]} {[get] [extensions] [destinationrules] [] []} {[watch] [extensions] [destinationrules] [] []} {[list] [extensions] [destinationrules] [] []} {[update] [extensions] [destinationrules] [] []} {[get] [extensions] [gateways] [] []} {[watch] [extensions] [gateways] [] []} {[list] [extensions] [gateways] [] []} {[updat
e] [extensions] [gateways] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SC
IoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] rul
eResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-ingressgateway-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [extensions] [thirdpartyresources] [] []} {[watch] [extensio
ns] [thirdpartyresources] [] []} {[list] [extensions] [thirdpartyresources] [] []} {[update] [extensions] [thirdpartyresources] [] []} {[get] [extensions] [virtualservices] [] []} {[watch] [extensions] [virtualservices] [] []} {[list] [extensions] [virtualservices] [] []} {[update] [extensions] [virtualservices] []
[]} {[get] [extensions] [destinationrules] [] []} {[watch] [extensions] [destinationrules] [] []} {[list] [extensions] [destinationrules] [] []} {[update] [extensions] [destinationrules] [] []} {[get] [extensions] [gateways] [] []} {[watch] [extensions] [gateways] [] []} {[list] [extensions] [gateways] [] []} {[upda
te] [extensions] [gateways] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2S
CIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ru
leResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-mixer-istio-system" is forbidden: attempt to grant extra privileges: [{[create] [config.istio.io] [*] [] []} {[get] [config.istio.io] [*] [] []} {
[list] [config.istio.io] [*] [] []} {[watch] [config.istio.io] [*] [] []} {[patch] [config.istio.io] [*] [] []} {[get] [rbac.istio.io] [*] [] []} {[list] [rbac.istio.io] [*] [] []} {[watch] [rbac.istio.io] [*] [] []} {[get] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[list] [apiextensions.k8s.io] [cus
tomresourcedefinitions] [] []} {[watch] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[get] [] [configmaps] [] []} {[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[get] [] [endpoints] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[get] [] [pods] [] []} {[list] [] [
pods] [] []} {[watch] [] [pods] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [] [namespaces] [] []} {[list] [] [namespaces] [] []} {[watch] [] [namespaces] [] []} {[get] [] [secrets] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[get] [extens
ions] [replicasets] [] []} {[list] [extensions] [replicasets] [] []} {[watch] [extensions] [replicasets] [] []} {[get] [apps] [replicasets] [] []} {[list] [apps] [replicasets] [] []} {[watch] [apps] [replicasets] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM
6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews self
subjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot-istio-system" is forbidden: attempt to grant extra privileges: [{[*] [config.istio.io] [*] [] []} {[get] [rbac.istio.io] [*] [] []} {[watch]
 [rbac.istio.io] [*] [] []} {[list] [rbac.istio.io] [*] [] []} {[*] [networking.istio.io] [*] [] []} {[*] [authentication.istio.io] [*] [] []} {[*] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[*] [extensions] [thirdpartyresources] [] []} {[*] [extensions] [thirdpartyresources.extensions] [] []} {[*] [
extensions] [ingresses] [] []} {[*] [extensions] [ingresses/status] [] []} {[create] [] [configmaps] [] []} {[get] [] [configmaps] [] []} {[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[update] [] [configmaps] [] []} {[get] [] [endpoints] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints]
[] []} {[get] [] [pods] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [] [namespaces] [] []} {[list] [] [namespaces] [] []} {[watch] [] [namespaces] [] []} {[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[wa
tch] [] [nodes] [] []} {[get] [] [secrets] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiP
cawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.
0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-citadel-istio-system" is forbidden: attempt to grant extra privileges: [{[create] [] [secrets] [] []} {[get] [] [secrets] [] []} {[watch] [] [secr
ets] [] []} {[list] [] [secrets] [] []} {[update] [] [secrets] [] []} {[delete] [] [secrets] [] []} {[get] [] [serviceaccounts] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] [serviceaccounts] [] []} {[get] [] [services] [] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] user=&{Lukas.Lansky.4
2@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-injector-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [*] [configmaps] [] []} {[list] [*] [configmaps] [] []} {[
watch] [*] [configmaps] [] []} {[get] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[list] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[watch] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[patch] [admissionregistration.k8s.io] [mutatingweb
hookconfigurations] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeM
pmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolu
tionErrors=[]

Steps to Reproduce the Problem

  1. gcloud projects create knat-test --set-as-default
  2. gcloud services enable cloudapis.googleapis.com container.googleapis.com containerregistry.googleapis.com
  3. Assign payment account to the new project unless I want to get Project knat-test cannot accept requests to compute.projects.setCommonInstanceMetadata while in an inactive billing state. Billing state may take several minutes to update. in the next step. (Does this needs to happen in GUI, by the way, or is there a command line command for that?)
  4. gcloud container clusters create knat-cluster --zone=europe-west1-b --cluster-version=latest --machine-type=n1-standard-4 --enable-autoscaling --min-nodes=1 --max-nodes=10 --enable-autorepair --scopes=service-control,service-management,compute-rw,storage-ro,cloud-platform,logging-write,monitoring-write,pubsub,datastore --num-nodes=3
  5. kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
  6. kubectl apply --filename https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml

Additional Info

Hopefully I didn't overlook any step. Thanks!
@knative-prow-robot knative-prow-robot added kind/question Further information is requested kind/bug Categorizes issue or PR as related to a bug. kind/doc Something isn't clear labels Dec 31, 2018
@patmagauran
Copy link

Just encountered this error. When creating the clusterrolebinding, make sure the user is EXACTLY as it appears in the user field for the error. This fixed it for me.

@Fryuni
Copy link

Fryuni commented Jan 6, 2019

Just answering the comment on you 3rd step, you can use gcloud beta billing projects link [your_project_id] --billing-account=[billing_account_id]

@lukas-lansky
Copy link
Author

@RotatingFans Yes, thanks a lot, that was it. gcloud config get-value core/account returns account in lower case, clusterrolebinding depends on it being the same case as original. I can reproduce the original issue with current documentation for version 0.3.0, but the issue disapears when I replace --user=$(gcloud config get-value core/account) with the proper value manually.

@Fryuni Thanks, that works nicely.

@MarkKropf
Copy link

There is another way to get the case-sensitive value with the existing configured environment variables.

gcloud projects get-iam-policy $PROJECT | grep 'user:' | cut -d: -f2

@knative-housekeeping-robot
Copy link

Issues go stale after 90 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle stale.
Stale issues rot after an additional 30 days of inactivity and eventually close.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle stale

@knative-prow-robot knative-prow-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 22, 2019
@knative-housekeeping-robot
Copy link

Stale issues rot after 30 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.
Rotten issues close after an additional 30 days of inactivity.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle rotten

@knative-prow-robot knative-prow-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 21, 2020
@knative-housekeeping-robot
Copy link

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

@knative-prow-robot
Copy link
Contributor

@knative-housekeeping-robot: Closing this issue.

In response to this:

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dprotaso dprotaso removed this from the Ice Box milestone Oct 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug. kind/doc Something isn't clear kind/question Further information is requested lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dprotaso @lukas-lansky @MarkKropf @mattmoor @patmagauran @Fryuni @knative-prow-robot @knative-housekeeping-robot