Failed when running rbac.yaml by permission denied.

[jeffwji]

Recently I upgrade my k8s to version 1.8 and enabled RBCA (parallelly with ABCA) and encountered difficulty when deploy ingress-nginx, this is the error information:

\# kubectl create -f rbac.yaml

serviceaccount "nginx-ingress-serviceaccount" created
rolebinding "nginx-ingress-role-nisa-binding" created
clusterrolebinding "nginx-ingress-clusterrole-nisa-binding" created
Error from server (Forbidden): error when creating "rbac.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "rbac.yaml": roles.rbac.authorization.k8s.io "nginx-ingress-role" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

Not sure how to fix it?

[aledbf]

@jeffwji please share the ABAC rules

[jpiper]

I am also getting this error in my cluster that I haven't enabled RBAC for yet (I want to get all the roles sorted before I turn it on). I haven't even got ABAC enabled, just authentication via user certs.

[aledbf]

@jpiper if you don't have RBAC or ABAC enabled you need to install the ingress controller using https://github.com/kubernetes/ingress-nginx/tree/master/deploy#install-without-rbac-roles

[jpiper]

@aledbf ah, I got it, I had to give myself cluster admin permissions first.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-admins
subjects:
- kind: User
  name: piperj
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

[jeffwji]

I almost put everything I known to ABAC:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "configmaps": "*", "pods": "*", "namespaces": "*", "endpoints": "*" }}

And I'm having the config to allow me login as admin.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/certs/ca.crt
    server: https://eval.cloud.local
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    user: Administrator
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: Administrator
  user:
    as-user-extra: {}
    password: "xxxxxxxxxxxxx"
    username: admin

[jeffwji]

@jpiper Wooo! I also got it after grant admin with cluster-admin role, there is no default value for any user in the system. but why ABAC policy doesn't work?

[aledbf]

@jeffwji can we close this issue?

[jeffwji]

Yes, we can close it now, but I still don't understand why ABAC policy doesn't work though.

[aledbf]

@jeffwji maybe you can get help in the kubernetes-users slack channel

[richmondwang]

@jpiper I couldnt get my rbac applied even after creating the ClusterRoleBinding as you specified it. Am I missing something else?

[richmondwang]

Just in case someone else has problems, this prometheus-operator/prometheus-operator#357 (comment) worked for me.

[dafstone]

If you're having this problem on GKE also try:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)

Per: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control

This should initialize your user as a cluster admin under RBAC.

[ianwalter]

@dafstone Thanks! You forgot a \ after the first line of the command, btw.

[dafstone]

Actually looks like it was in there but github was hiding it, so I re-wrapped as a code block. Thanks for pointing that out!

[maaraoffl]

Facing the same issue when trying to setup openfaas on gke (1.8+ version)

Error from server (Forbidden): error when creating "yaml/rbac.yml": roles.rbac.authorization.k8s.io "faas-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["update"]}] user=&{Mahesh.Veerabathiran@gmail.com  [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

I ran the commands suggested to fix the issue but it did not solve the problem,
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account)

kubectl create clusterrolebinding "cluster-admin-$(whoami)" --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"

Your help is much appreciated!

[kirang20]

I am facing the same issue, I have run kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) but still getting forbidden error. Could someone please help?

[kvishweshwar]

Hello Folks,

I am facing same Forbidden error, even after executing kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) . i already have created cluster_role_binding and/or role_binding & now when I am going to create role and/or cluster_role for same, it is giving me same error.
can any one help in this issue ?

[djvs]

If anyone else is seeing something like this on GKE:

Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [{[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[get] [] [nodes] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [extensions] [ingresses] [] []} {[list] [extensions] [ingresses] [] []} {[watch] [extensions] [ingresses] [] []} {[create] [] [events] [] []} {[patch] [] [events] [] []} {[update] [extensions] [ingresses/status] [] []}] user=&{SOMETHING@YOURPROJECTNAME.iam.gserviceaccount.com [system:authenticated] map[user-assertion.cloud.google.com:xxxxxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]

See the email with caps? If you run this:

kubectl create clusterrolebinding cluster-admin-SOMETHING --clusterrole=cluster-admin --user=SOMETHING@YOURPROJECT.iam.gserviceaccount.com

and it'll let you apply the mandatory.yaml.