https://pulumi.com logo
#general
Title
# general
i

important-leather-28796

03/15/2019, 6:07 PM
Having a problem adding a ClusterRoleBinding - not sure if it is with my gcp identities setup or in k8s. Error:
Copy code
<http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> is forbidden: User "<mailto:ci-infrastructure@xxx.iam.gserviceaccount.com|ci-infrastructure@xxx.iam.gserviceaccount.com>" cannot create resource "clusterrolebindings" in API group "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>" at the cluster scope
I verified this roleRef/subjects from a manually created one:
Copy code
const name = 'cluster-admin-binding'
export const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding(
  name,
  {
    metadata: { name },
    roleRef: {
      apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
      kind: 'ClusterRole',
      name: 'cluster-admin',
    },
    subjects: [
      {
        apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
        kind: 'User',
        name: stack.identity.getOutput('ciInfrastructure').apply(v => v.email),
      },
    ],
  },
  optsC({ dependsOn: [cluster] }),
)
What am I missing?
Here is the identity setup:
Copy code
const name = 'ciInfrastructure'

export const ciInfrastructure = new gcp.serviceAccount.Account(
  name,
  {
    project,
    accountId: 'ci-infrastructure',
    displayName: 'CI infrastructure account',
  },
  { protect },
)

bindToIAMRole(`${name}ClusterAdmin`, ciInfrastructure, {
  project,
  role: 'roles/container.clusterAdmin',
})
// for deploying cluster-wide resources e.g. traefik, cert-manager
bindToIAMRole(`${name}ContainerDeveloper`, ciInfrastructure, {
  project,
  role: 'roles/container.developer',
})
I thought since I can use the
ci-infrastructure
gcp service account/identity to create the cluster, that I’ll be able to create a clusterRoleBinding, but so far cannot.
I’m going to go back and try with
roles/container.admin
, using
container.clusterAdmin
and
container.developer
may not be enough
changing the gcp IAM role to
'roles/container.admin'
solved it
c

creamy-potato-29402

03/15/2019, 9:42 PM
@important-leather-28796 not an expert but that seems to be a lack of permissions error
oh
didn’t see last message