GKE traefik 创建 rbac 权限失败

Question

我正在尝试将 traefik 安装为 GKE（google 云 kubernetes 引擎）上的入口控制器，当我尝试时：

kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml

我有这个错误：

Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml": clusterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["services"], Verbs:["watch"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["endpoints"], Verbs:["watch"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["get"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["watch"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["get"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["list"]} PolicyRule{APIGroups:["extensions"], Resources:["ingresses"], Verbs:["watch"]}] user=&{IzoPi4a@gmail.com [system:authenticated] map[user-assertion.cloud.google.com:[ADKE0IBz9kwSuZRZkfbLil8iC/ijcmJJmuys2DvDGxoxQ5yP6Pdq1IQs3JRwDmd/lWm2vGdMXGB4h1QKiwx+3uV2ciTb/oQNtkthBvONnVp4fJGOSW1S+8O8dqvoUNRLNeB5gADNn1TKEYoB+JvRkjrkTOxtIh7rPugLaP5Hp7thWft9xwZqF9U4fgYHnPjCdRgvMrDvGIK8z7ONljYuStpWdJDu7LrPpT0L]]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/openapi" "/openapi/" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[]

只有这一部分有问题，另外一个创建成功：

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch

根据文档 (https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control) 我尝试执行此命令但我仍然遇到相同的错误

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=MY_EMAIL_THAT_I_LOGIN_INTO_GCP

有没有人设法解决这个问题？或者它根本不起作用？

我正在尝试制作一个没有 loadBalancer 的 kubernetes 集群，以便在我的本地机器（minikube）上便宜，我没有这样的问题。

Answer 1

所以对于所有试图在 GKE 上安装 traefik 的人来说，如果你遇到了错误消息，请先安装

# Get password value
$ gcloud container clusters describe CUSTER_NAME --zone ZONE_NAME | grep password

# Pass username and password parameters
$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml --username=admin --password=PASSWORD

感谢 Nicola Ben 帮我解决问题

Answer 2

这里的主要问题是您当前的用户没有足够的权限来执行此操作。要创建必要的绑定：

kubectl create clusterrolebinding cluster-admin-binding \                                               
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)

感谢 istio 的想法。

GKE traefik 创建 rbac 权限失败

GKE traefik fails to create rbac permissions

google-cloud-platform

kubernetes

google-kubernetes-engine

traefik