GKE 上的 Istio 安装失败,"clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges"
Istio installation on GKE failed with "clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges"
正在尝试在 GKE(Google 容器引擎)上安装 istio 0.1.6。
运行 按照以下步骤检查集群是否启用了 RBAC(基于角色的访问控制):
$ kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1beta1
它显示'beta'版本,所以我运行:
$ kubectl apply -f istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml
Error from server (Forbidden): error when creating "istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges:...
集群角色绑定创建没有帮助:
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
知道如何解决这个问题吗?
更多详情:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2", GitCommit:"477efc3cbe6a7effca06bd1452fa356e2201e1ee", GitTreeState:"clean", BuildDate:"2017-04-19T20:33:11Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.4", GitCommit:"d6f433224538d4f9ca2f7ae19b252e6fcb66a3ae", GitTreeState:"clean", BuildDate:"2017-05-19T18:33:17Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud container clusters get-credentials...
将 CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True 添加到 gcloud container clusters get-credentials 命令,该命令使用适当的凭据更新 kubeconfig 文件以将 kubectl 指向容器引擎集群,解决了问题:)
参考:istio issue
我 运行 喜欢这个。对我来说,解决方案是 --user 的电子邮件地址参数必须小写。这意味着 --user=foo.bar@example.com 而不是 --user=Foo.Bar@example.com
正在尝试在 GKE(Google 容器引擎)上安装 istio 0.1.6。
运行 按照以下步骤检查集群是否启用了 RBAC(基于角色的访问控制):
$ kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1beta1
它显示'beta'版本,所以我运行:
$ kubectl apply -f istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml
Error from server (Forbidden): error when creating "istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges:...
集群角色绑定创建没有帮助:
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
知道如何解决这个问题吗?
更多详情:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2", GitCommit:"477efc3cbe6a7effca06bd1452fa356e2201e1ee", GitTreeState:"clean", BuildDate:"2017-04-19T20:33:11Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.4", GitCommit:"d6f433224538d4f9ca2f7ae19b252e6fcb66a3ae", GitTreeState:"clean", BuildDate:"2017-05-19T18:33:17Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud container clusters get-credentials...
将 CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True 添加到 gcloud container clusters get-credentials 命令,该命令使用适当的凭据更新 kubeconfig 文件以将 kubectl 指向容器引擎集群,解决了问题:)
参考:istio issue
我 运行 喜欢这个。对我来说,解决方案是 --user 的电子邮件地址参数必须小写。这意味着 --user=foo.bar@example.com 而不是 --user=Foo.Bar@example.com