clusterroles.rbac.authorization.k8s.io "kube-backup-reader" is forbidden

[030]

I am trying to enable kube-backup for one of the clusters that is running on GCP.

cronjob-ssh.yaml has been deployed

kubectl describe job kube-state-backup-1545735000 -n kube-system returns:

Error creating: pods "kube-state-backup-1545736800-" is forbidden: error looking up service account kube-system/kube-backup: serviceaccount "kube-backup" not found

When the rbac.yaml is deployed, the following issue occurs:

kubectl create -f https://raw.githubusercontent.com/pieterlange/kube-backup/master/rbac.yaml --namespace=kube-system
clusterrolebinding.rbac.authorization.k8s.io/kube-backup created
Error from server (Forbidden): error when creating 
"https://raw.githubusercontent.com/pieterlange/kube-backup/master/rbac.yaml": 
clusterroles.rbac.authorization.k8s.io "kube-backup-reader" is forbidden:
attempt to grant extra privileges:

Based on this I tried:

kubectl create clusterrolebinding kube-backup-reader --clusterrole=cluster-admin --user=<email-address>

I ran the commands that are defined in this post https://stackoverflow.com/a/47332612/2777965, but the issue persists.

Now I wonder whether the "Tiller approach" should be used (fnproject/fn-helm#21 (comment)).

[pieterlange]

Hey Ben! Merry xmas.

the serviceaccount should've been created when you deployed cronjob-ssh.yaml, but the error (attempt to grant extra privileges) you're getting when creating the RBAC rules is related to YOU not having sufficient privileges in the cluster to create the new rolebindings. So, instead of assigning kube-backup-reader cluster-admin privileges. bind yourself to cluster-admin and then create the RBAC rules. Good luck :) I'll check back later.

[030]

Hey Peter! Merry Christmas to you as well!

It works now! I have added a print-screen of the repository and the next thing I will do is reading the instructions of the git-crypt to backup the secrets as well.

I have to say that this is really a nice tool 👍. All the initial config has been committed and when a change is made only this is committed as a second commit like you showed in the demo.

---

Issue one:

@pieterlange the feedback helped! The other issue was that my email address contained two Uppercase chars and the role I created contained only lower case characters.

Issue two:

running:

kubectl create --edit -f https://raw.githubusercontent.com/pieterlange/kube-backup/master/cronjob-ssh.yaml --namespace=kube-system

skipped the creation of the serviceaccount. Running it as a separate file worked and when a helm chart (#46) would be used then this issue would not occur at all.

[pieterlange]

Ah, it's a combined YAML file and with --edit it probably picked only one out of the 2 resources. Obscure flags in kubectl can be tricky. :)

[030]

The git-crypt seems to work as well now. I get encrypted secrets in my git repository. :)

I wonder whether the RBAC snippet is still required as without changing the current RBAC the secrets were sent to the repository.

rules:
- apiGroups: ["*"]
  resources: [
    "configmaps",
    "secrets",

[030]

I had to add pvc to the RESOURCETYPES as pvc yamls were removed from my git repository