important-leather-28796
03/15/2019, 6:07 PM<http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> is forbidden: User "<mailto:ci-infrastructure@xxx.iam.gserviceaccount.com|ci-infrastructure@xxx.iam.gserviceaccount.com>" cannot create resource "clusterrolebindings" in API group "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>" at the cluster scope
I verified this roleRef/subjects from a manually created one:
const name = 'cluster-admin-binding'
export const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding(
name,
{
metadata: { name },
roleRef: {
apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
kind: 'ClusterRole',
name: 'cluster-admin',
},
subjects: [
{
apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
kind: 'User',
name: stack.identity.getOutput('ciInfrastructure').apply(v => v.email),
},
],
},
optsC({ dependsOn: [cluster] }),
)
What am I missing?const name = 'ciInfrastructure'
export const ciInfrastructure = new gcp.serviceAccount.Account(
name,
{
project,
accountId: 'ci-infrastructure',
displayName: 'CI infrastructure account',
},
{ protect },
)
bindToIAMRole(`${name}ClusterAdmin`, ciInfrastructure, {
project,
role: 'roles/container.clusterAdmin',
})
// for deploying cluster-wide resources e.g. traefik, cert-manager
bindToIAMRole(`${name}ContainerDeveloper`, ciInfrastructure, {
project,
role: 'roles/container.developer',
})
ci-infrastructure
gcp service account/identity to create the cluster, that I’ll be able to create a clusterRoleBinding, but so far cannot.roles/container.admin
, using container.clusterAdmin
and container.developer
may not be enough'roles/container.admin'
solved itcreamy-potato-29402
03/15/2019, 9:42 PM