Channels
#general
Title
i
important-leather-28796
03/15/2019, 6:07 PMHaving a problem adding a ClusterRoleBinding - not sure if it is with my gcp identities setup or in k8s.
Error:
Copy code
<http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> is forbidden: User "<mailto:ci-infrastructure@xxx.iam.gserviceaccount.com|ci-infrastructure@xxx.iam.gserviceaccount.com>" cannot create resource "clusterrolebindings" in API group "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>" at the cluster scope Copy code
const name = 'cluster-admin-binding'
export const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding(
name,
{
metadata: { name },
roleRef: {
apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
kind: 'ClusterRole',
name: 'cluster-admin',
},
subjects: [
{
apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
kind: 'User',
name: stack.identity.getOutput('ciInfrastructure').apply(v => v.email),
},
],
},
optsC({ dependsOn: [cluster] }),
)Here is the identity setup:
Copy code
const name = 'ciInfrastructure'
export const ciInfrastructure = new gcp.serviceAccount.Account(
name,
{
project,
accountId: 'ci-infrastructure',
displayName: 'CI infrastructure account',
},
{ protect },
)
bindToIAMRole(`${name}ClusterAdmin`, ciInfrastructure, {
project,
role: 'roles/container.clusterAdmin',
})
// for deploying cluster-wide resources e.g. traefik, cert-manager
bindToIAMRole(`${name}ContainerDeveloper`, ciInfrastructure, {
project,
role: 'roles/container.developer',
})I thought since I can use the
ci-infrastructureI’m going to go back and try with
roles/container.admincontainer.clusterAdmincontainer.developerchanging the gcp IAM role to
'roles/container.admin'c
creamy-potato-29402
03/15/2019, 9:42 PM@important-leather-28796 not an expert but that seems to be a lack of permissions error
oh
didn’t see last message