Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed when running rbac.yaml by permission denied. #1663

Closed
jeffwji opened this issue Nov 7, 2017 · 18 comments · Fixed by #3242
Closed

Failed when running rbac.yaml by permission denied. #1663

jeffwji opened this issue Nov 7, 2017 · 18 comments · Fixed by #3242

Comments

@jeffwji
Copy link

jeffwji commented Nov 7, 2017

Recently I upgrade my k8s to version 1.8 and enabled RBCA (parallelly with ABCA) and encountered difficulty when deploy ingress-nginx, this is the error information:

\# kubectl create -f rbac.yaml

serviceaccount "nginx-ingress-serviceaccount" created
rolebinding "nginx-ingress-role-nisa-binding" created
clusterrolebinding "nginx-ingress-clusterrole-nisa-binding" created
Error from server (Forbidden): error when creating "rbac.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "rbac.yaml": roles.rbac.authorization.k8s.io "nginx-ingress-role" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["ingress-controller-leader-nginx"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/
" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

Not sure how to fix it?

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@jeffwji please share the ABAC rules

@jpiper
Copy link

jpiper commented Nov 8, 2017

I am also getting this error in my cluster that I haven't enabled RBAC for yet (I want to get all the roles sorted before I turn it on). I haven't even got ABAC enabled, just authentication via user certs.

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@jpiper if you don't have RBAC or ABAC enabled you need to install the ingress controller using https://github.com/kubernetes/ingress-nginx/tree/master/deploy#install-without-rbac-roles

@jpiper
Copy link

jpiper commented Nov 8, 2017

@aledbf ah, I got it, I had to give myself cluster admin permissions first.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-admins
subjects:
- kind: User
  name: piperj
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

@jeffwji
Copy link
Author

jeffwji commented Nov 8, 2017

I almost put everything I known to ABAC:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "configmaps": "*", "pods": "*", "namespaces": "*", "endpoints": "*" }}

And I'm having the config to allow me login as admin.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/certs/ca.crt
    server: https://eval.cloud.local
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    user: Administrator
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: Administrator
  user:
    as-user-extra: {}
    password: "xxxxxxxxxxxxx"
    username: admin

@jeffwji
Copy link
Author

jeffwji commented Nov 8, 2017

@jpiper Wooo! I also got it after grant admin with cluster-admin role, there is no default value for any user in the system. but why ABAC policy doesn't work?

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@jeffwji can we close this issue?

@jeffwji jeffwji closed this as completed Nov 8, 2017
@jeffwji
Copy link
Author

jeffwji commented Nov 8, 2017

Yes, we can close it now, but I still don't understand why ABAC policy doesn't work though.

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@jeffwji maybe you can get help in the kubernetes-users slack channel

@richmondwang
Copy link

@jpiper I couldnt get my rbac applied even after creating the ClusterRoleBinding as you specified it. Am I missing something else?

@richmondwang
Copy link

Just in case someone else has problems, this prometheus-operator/prometheus-operator#357 (comment) worked for me.

@dafstone
Copy link

dafstone commented Mar 5, 2018

If you're having this problem on GKE also try:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)

Per: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control

This should initialize your user as a cluster admin under RBAC.

@ianwalter
Copy link

@dafstone Thanks! You forgot a \ after the first line of the command, btw.

@dafstone
Copy link

dafstone commented Mar 9, 2018

Actually looks like it was in there but github was hiding it, so I re-wrapped as a code block. Thanks for pointing that out!

@maaraoffl
Copy link

Facing the same issue when trying to setup openfaas on gke (1.8+ version)

Error from server (Forbidden): error when creating "yaml/rbac.yml": roles.rbac.authorization.k8s.io "faas-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["update"]}] user=&{Mahesh.Veerabathiran@gmail.com  [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

I ran the commands suggested to fix the issue but it did not solve the problem,
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account)

kubectl create clusterrolebinding "cluster-admin-$(whoami)" --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"

Your help is much appreciated!

@kirang20
Copy link

kirang20 commented Aug 1, 2018

I am facing the same issue, I have run kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) but still getting forbidden error. Could someone please help?

@kvishweshwar
Copy link

Hello Folks,

I am facing same Forbidden error, even after executing kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) . i already have created cluster_role_binding and/or role_binding & now when I am going to create role and/or cluster_role for same, it is giving me same error.
can any one help in this issue ?

@djvs
Copy link

djvs commented Mar 15, 2019

If anyone else is seeing something like this on GKE:

Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [{[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[get] [] [nodes] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [extensions] [ingresses] [] []} {[list] [extensions] [ingresses] [] []} {[watch] [extensions] [ingresses] [] []} {[create] [] [events] [] []} {[patch] [] [events] [] []} {[update] [extensions] [ingresses/status] [] []}] user=&{SOMETHING@YOURPROJECTNAME.iam.gserviceaccount.com [system:authenticated] map[user-assertion.cloud.google.com:xxxxxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]

See the email with caps? If you run this:

kubectl create clusterrolebinding cluster-admin-SOMETHING --clusterrole=cluster-admin --user=SOMETHING@YOURPROJECT.iam.gserviceaccount.com

and it'll let you apply the mandatory.yaml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants