New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Istio installation permission issue at GKE when following documentation #2814

Open
lukas-lansky opened this Issue Dec 31, 2018 · 4 comments

Comments

Projects
None yet
6 participants
@lukas-lansky
Copy link

lukas-lansky commented Dec 31, 2018

Expected Behavior

Going through https://github.com/knative/docs/blob/master/install/Knative-with-GKE.md should get me a nice new cluster with functional Knative.

Actual Behavior

The Istio installation step results with:

PS C:\Source> kubectl apply --filename https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml
namespace "istio-system" created
configmap "istio-galley-configuration" created
configmap "istio-statsd-prom-bridge" created
configmap "istio-security-custom-resources" created
configmap "istio" created
configmap "istio-sidecar-injector" created
serviceaccount "istio-galley-service-account" created
serviceaccount "istio-egressgateway-service-account" created
serviceaccount "istio-ingressgateway-service-account" created
serviceaccount "istio-mixer-service-account" created
serviceaccount "istio-pilot-service-account" created
serviceaccount "istio-cleanup-secrets-service-account" created
clusterrolebinding.rbac.authorization.k8s.io "istio-cleanup-secrets-istio-system" created
job.batch "istio-cleanup-secrets" created
serviceaccount "istio-citadel-service-account" created
serviceaccount "istio-sidecar-injector-service-account" created
customresourcedefinition.apiextensions.k8s.io "virtualservices.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "destinationrules.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "serviceentries.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "gateways.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "envoyfilters.networking.istio.io" created
customresourcedefinition.apiextensions.k8s.io "httpapispecbindings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "httpapispecs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotaspecbindings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotaspecs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rules.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "attributemanifests.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "bypasses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "circonuses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "deniers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "fluentds.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "kubernetesenvs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "listcheckers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "memquotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "noops.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "opas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "prometheuses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rbacs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "redisquotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicecontrols.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "signalfxs.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "solarwindses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "stackdrivers.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "statsds.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "stdios.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "apikeys.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "authorizations.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "checknothings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "kuberneteses.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "listentries.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "logentries.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "edges.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "metrics.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "quotas.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "reportnothings.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicecontrolreports.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "tracespans.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "rbacconfigs.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "serviceroles.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "servicerolebindings.rbac.istio.io" created
customresourcedefinition.apiextensions.k8s.io "adapters.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "instances.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "templates.config.istio.io" created
customresourcedefinition.apiextensions.k8s.io "handlers.config.istio.io" created
clusterrolebinding.rbac.authorization.k8s.io "istio-galley-admin-role-binding-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-egressgateway-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-ingressgateway-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-mixer-admin-role-binding-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-pilot-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-citadel-istio-system" created
clusterrolebinding.rbac.authorization.k8s.io "istio-sidecar-injector-admin-role-binding-istio-system" created
service "istio-galley" created
service "istio-egressgateway" created
service "istio-ingressgateway" created
service "istio-policy" created
service "istio-telemetry" created
service "istio-statsd-prom-bridge" created
deployment.extensions "istio-statsd-prom-bridge" created
service "istio-pilot" created
service "istio-citadel" created
service "istio-sidecar-injector" created
deployment.extensions "istio-galley" created
deployment.extensions "istio-egressgateway" created
deployment.extensions "istio-ingressgateway" created
deployment.extensions "istio-policy" created
deployment.extensions "istio-telemetry" created
deployment.extensions "istio-pilot" created
deployment.extensions "istio-citadel" created
deployment.extensions "istio-sidecar-injector" created
gateway.networking.istio.io "istio-autogenerated-k8s-ingress" created
horizontalpodautoscaler.autoscaling "istio-egressgateway" created
horizontalpodautoscaler.autoscaling "istio-ingressgateway" created
horizontalpodautoscaler.autoscaling "istio-policy" created
horizontalpodautoscaler.autoscaling "istio-telemetry" created
horizontalpodautoscaler.autoscaling "istio-pilot" created
mutatingwebhookconfiguration.admissionregistration.k8s.io "istio-sidecar-injector" created
attributemanifest.config.istio.io "istioproxy" created
attributemanifest.config.istio.io "kubernetes" created
stdio.config.istio.io "handler" created
logentry.config.istio.io "accesslog" created
logentry.config.istio.io "tcpaccesslog" created
rule.config.istio.io "stdio" created
rule.config.istio.io "stdiotcp" created
metric.config.istio.io "requestcount" created
metric.config.istio.io "requestduration" created
metric.config.istio.io "requestsize" created
metric.config.istio.io "responsesize" created
metric.config.istio.io "tcpbytesent" created
metric.config.istio.io "tcpbytereceived" created
prometheus.config.istio.io "handler" created
rule.config.istio.io "promhttp" created
rule.config.istio.io "promtcp" created
kubernetesenv.config.istio.io "handler" created
rule.config.istio.io "kubeattrgenrulerule" created
rule.config.istio.io "tcpkubeattrgenrulerule" created
kubernetes.config.istio.io "attributes" created
destinationrule.networking.istio.io "istio-policy" created
destinationrule.networking.istio.io "istio-telemetry" created
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-cleanup-secrets-istio-system" is forbidden: attempt to grant extra privileges: [{[list] [] [secrets] [] []} {[delete] [] [secrets] [] []}] user=&{
Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL
+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-galley-istio-system" is forbidden: attempt to grant extra privileges: [{[*] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []
} {[get] [config.istio.io] [*] [] []} {[list] [config.istio.io] [*] [] []} {[watch] [config.istio.io] [*] [] []} {[get] [*] [deployments] [istio-galley] []} {[get] [*] [endpoints] [istio-galley] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M
2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-egressgateway-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [extensions] [thirdpartyresources] [] []} {[watch] [extension
s] [thirdpartyresources] [] []} {[list] [extensions] [thirdpartyresources] [] []} {[update] [extensions] [thirdpartyresources] [] []} {[get] [extensions] [virtualservices] [] []} {[watch] [extensions] [virtualservices] [] []} {[list] [extensions] [virtualservices] [] []} {[update] [extensions] [virtualservices] [] [
]} {[get] [extensions] [destinationrules] [] []} {[watch] [extensions] [destinationrules] [] []} {[list] [extensions] [destinationrules] [] []} {[update] [extensions] [destinationrules] [] []} {[get] [extensions] [gateways] [] []} {[watch] [extensions] [gateways] [] []} {[list] [extensions] [gateways] [] []} {[updat
e] [extensions] [gateways] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SC
IoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] rul
eResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-ingressgateway-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [extensions] [thirdpartyresources] [] []} {[watch] [extensio
ns] [thirdpartyresources] [] []} {[list] [extensions] [thirdpartyresources] [] []} {[update] [extensions] [thirdpartyresources] [] []} {[get] [extensions] [virtualservices] [] []} {[watch] [extensions] [virtualservices] [] []} {[list] [extensions] [virtualservices] [] []} {[update] [extensions] [virtualservices] []
[]} {[get] [extensions] [destinationrules] [] []} {[watch] [extensions] [destinationrules] [] []} {[list] [extensions] [destinationrules] [] []} {[update] [extensions] [destinationrules] [] []} {[get] [extensions] [gateways] [] []} {[watch] [extensions] [gateways] [] []} {[list] [extensions] [gateways] [] []} {[upda
te] [extensions] [gateways] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2S
CIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ru
leResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-mixer-istio-system" is forbidden: attempt to grant extra privileges: [{[create] [config.istio.io] [*] [] []} {[get] [config.istio.io] [*] [] []} {
[list] [config.istio.io] [*] [] []} {[watch] [config.istio.io] [*] [] []} {[patch] [config.istio.io] [*] [] []} {[get] [rbac.istio.io] [*] [] []} {[list] [rbac.istio.io] [*] [] []} {[watch] [rbac.istio.io] [*] [] []} {[get] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[list] [apiextensions.k8s.io] [cus
tomresourcedefinitions] [] []} {[watch] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[get] [] [configmaps] [] []} {[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[get] [] [endpoints] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[get] [] [pods] [] []} {[list] [] [
pods] [] []} {[watch] [] [pods] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [] [namespaces] [] []} {[list] [] [namespaces] [] []} {[watch] [] [namespaces] [] []} {[get] [] [secrets] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[get] [extens
ions] [replicasets] [] []} {[list] [extensions] [replicasets] [] []} {[watch] [extensions] [replicasets] [] []} {[get] [apps] [replicasets] [] []} {[list] [apps] [replicasets] [] []} {[watch] [apps] [replicasets] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM
6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews self
subjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot-istio-system" is forbidden: attempt to grant extra privileges: [{[*] [config.istio.io] [*] [] []} {[get] [rbac.istio.io] [*] [] []} {[watch]
 [rbac.istio.io] [*] [] []} {[list] [rbac.istio.io] [*] [] []} {[*] [networking.istio.io] [*] [] []} {[*] [authentication.istio.io] [*] [] []} {[*] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[*] [extensions] [thirdpartyresources] [] []} {[*] [extensions] [thirdpartyresources.extensions] [] []} {[*] [
extensions] [ingresses] [] []} {[*] [extensions] [ingresses/status] [] []} {[create] [] [configmaps] [] []} {[get] [] [configmaps] [] []} {[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[update] [] [configmaps] [] []} {[get] [] [endpoints] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints]
[] []} {[get] [] [pods] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [] [namespaces] [] []} {[list] [] [namespaces] [] []} {[watch] [] [namespaces] [] []} {[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[wa
tch] [] [nodes] [] []} {[get] [] [secrets] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiP
cawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.
0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-citadel-istio-system" is forbidden: attempt to grant extra privileges: [{[create] [] [secrets] [] []} {[get] [] [secrets] [] []} {[watch] [] [secr
ets] [] []} {[list] [] [secrets] [] []} {[update] [] [secrets] [] []} {[delete] [] [secrets] [] []} {[get] [] [serviceaccounts] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] [serviceaccounts] [] []} {[get] [] [services] [] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] user=&{Lukas.Lansky.4
2@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeMpmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-injector-istio-system" is forbidden: attempt to grant extra privileges: [{[get] [*] [configmaps] [] []} {[list] [*] [configmaps] [] []} {[
watch] [*] [configmaps] [] []} {[get] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[list] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[watch] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[patch] [admissionregistration.k8s.io] [mutatingweb
hookconfigurations] [] []}] user=&{Lukas.Lansky.42@gmail.com  [system:authenticated] map[user-assertion.cloud.google.com:[AM6SrXjfbg0HWBBe3AIpt0M2KvU6bP4OjuZYtVfpq/WjPf8rp6mhx4YfrIjyJfSKhTNONx719X+ERhUaheYrvL6EGQA2lFPpECFBTZq3q9dPc2AOaiPcawEvNgdUGn39ws6N2NKwW72KsL0uyDMAQM+qzP12CwwPl/mLqbRATLOtUsjVN8s95n5Wm2SCIoE/ZeM
pmcqqnppHmgrx0kgMuvpedEF2wc88UAOaUL+ARV3pTjA=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolu
tionErrors=[]

Steps to Reproduce the Problem

  1. gcloud projects create knat-test --set-as-default
  2. gcloud services enable cloudapis.googleapis.com container.googleapis.com containerregistry.googleapis.com
  3. Assign payment account to the new project unless I want to get Project knat-test cannot accept requests to compute.projects.setCommonInstanceMetadata while in an inactive billing state. Billing state may take several minutes to update. in the next step. (Does this needs to happen in GUI, by the way, or is there a command line command for that?)
  4. gcloud container clusters create knat-cluster --zone=europe-west1-b --cluster-version=latest --machine-type=n1-standard-4 --enable-autoscaling --min-nodes=1 --max-nodes=10 --enable-autorepair --scopes=service-control,service-management,compute-rw,storage-ro,cloud-platform,logging-write,monitoring-write,pubsub,datastore --num-nodes=3
  5. kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
  6. kubectl apply --filename https://github.com/knative/serving/releases/download/v0.2.2/istio.yaml

Additional Info

Hopefully I didn't overlook any step. Thanks!

@RotatingFans

This comment has been minimized.

Copy link

RotatingFans commented Jan 5, 2019

Just encountered this error. When creating the clusterrolebinding, make sure the user is EXACTLY as it appears in the user field for the error. This fixed it for me.

@Fryuni

This comment has been minimized.

Copy link

Fryuni commented Jan 6, 2019

Just answering the comment on you 3rd step, you can use gcloud beta billing projects link [your_project_id] --billing-account=[billing_account_id]

@lukas-lansky

This comment has been minimized.

Copy link
Author

lukas-lansky commented Jan 11, 2019

@RotatingFans Yes, thanks a lot, that was it. gcloud config get-value core/account returns account in lower case, clusterrolebinding depends on it being the same case as original. I can reproduce the original issue with current documentation for version 0.3.0, but the issue disapears when I replace --user=$(gcloud config get-value core/account) with the proper value manually.

@Fryuni Thanks, that works nicely.

@MarkKropf

This comment has been minimized.

Copy link
Member

MarkKropf commented Jan 24, 2019

There is another way to get the case-sensitive value with the existing configured environment variables.

gcloud projects get-iam-policy $PROJECT | grep 'user:' | cut -d: -f2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment