服务器错误(禁止访问):创建时出错 .. : clusterroles.rbac.authorization.k8s.io ...: 尝试授予额外权限:
Error from server (Forbidden): error when creating .. : clusterroles.rbac.authorization.k8s.io ...: attempt to grant extra privileges:
无法创建集群角色。 <> 已分配为 "container engine admin" & "container engine cluster admin"
的角色
Error from server (Forbidden): error when creating "prometheus-
operator/prometheus-operator-cluster-role.yaml":
clusterroles.rbac.authorization.k8s.io "prometheus-operator"
is forbidden: attempt to grant extra privileges: [{[create]
[extensions] [thirdpartyresources] [] []} {[*]
[monitoring.coreos.com] [alertmanagers] [] []} {[*]
[monitoring.coreos.com] [prometheuses] [] []} {[*]
[monitoring.coreos.com] [servicemonitors] [] []} {[*]
[apps] [statefulsets] [] []} {[*] [] [configmaps] [] []}
{[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete]
[] [pods] [] []} {[get] [] [services] [] []} {[create]
[] [services] [] []} {[update] [] [services] [] []} {[get]
[] [endpoints] [] []} {[create] [] [endpoints] [] []}
{[update] [] [endpoints] [] []} {[list] [] [nodes]
[] []} {[watch] [] [nodes] [] []}]
user=&{<<my_account>>@gmail.com
[system:authenticated] map[]} ownerrules=[{[create]
[authorization.k8s.io] [selfsubjectaccessreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/*
/healthz /swaggerapi /swaggerapi/* /version]}]
ruleResolutionErrors=[]
Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.
An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRolepermissions.
This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.
因此您需要将您的帐户绑定到集群管理员角色。
我在 Google Kubernetes Engine 上遇到了同样的问题。
根据enj的回答和ccyang2005的评论请找到以下snipet解决了我的问题:)
第 1 步:获取您的身份
gcloud info | grep Account
会输出类似Account: [myname@example.org]
的东西
第 2 步:将 cluster-admin 授予您当前的身份
kubectl create clusterrolebinding myname-cluster-admin-binding \
--clusterrole=cluster-admin \
--user=myname@example.org
会输出类似Clusterrolebinding "myname-cluster-admin-binding" created
的东西
之后,您将能够创建 CusterRoles
无法创建集群角色。 <> 已分配为 "container engine admin" & "container engine cluster admin"
的角色Error from server (Forbidden): error when creating "prometheus-
operator/prometheus-operator-cluster-role.yaml":
clusterroles.rbac.authorization.k8s.io "prometheus-operator"
is forbidden: attempt to grant extra privileges: [{[create]
[extensions] [thirdpartyresources] [] []} {[*]
[monitoring.coreos.com] [alertmanagers] [] []} {[*]
[monitoring.coreos.com] [prometheuses] [] []} {[*]
[monitoring.coreos.com] [servicemonitors] [] []} {[*]
[apps] [statefulsets] [] []} {[*] [] [configmaps] [] []}
{[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete]
[] [pods] [] []} {[get] [] [services] [] []} {[create]
[] [services] [] []} {[update] [] [services] [] []} {[get]
[] [endpoints] [] []} {[create] [] [endpoints] [] []}
{[update] [] [endpoints] [] []} {[list] [] [nodes]
[] []} {[watch] [] [nodes] [] []}]
user=&{<<my_account>>@gmail.com
[system:authenticated] map[]} ownerrules=[{[create]
[authorization.k8s.io] [selfsubjectaccessreviews]
[] []} {[get] [] [] [] [/api /api/* /apis /apis/*
/healthz /swaggerapi /swaggerapi/* /version]}]
ruleResolutionErrors=[]
Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.
An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRolepermissions.
This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.
因此您需要将您的帐户绑定到集群管理员角色。
我在 Google Kubernetes Engine 上遇到了同样的问题。
根据enj的回答和ccyang2005的评论请找到以下snipet解决了我的问题:)
第 1 步:获取您的身份
gcloud info | grep Account
会输出类似Account: [myname@example.org]
第 2 步:将 cluster-admin 授予您当前的身份
kubectl create clusterrolebinding myname-cluster-admin-binding \
--clusterrole=cluster-admin \
--user=myname@example.org
会输出类似Clusterrolebinding "myname-cluster-admin-binding" created
之后,您将能够创建 CusterRoles