GKE traefik无法创建rbac权限

时间:2018-09-01 09:53:15

标签: kubernetes google-cloud-platform traefik google-kubernetes-engine

我正在尝试将traefik作为GKE(谷歌云kubernetes引擎)上的入口控制器安装,并且在尝试时安装:

kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml

我有此错误:

  

服务器错误(禁止):创建时出错   “ https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml”:   clusterroles.rbac.authorization.k8s.io“ traefik-ingress-controller”是   禁止:尝试授予额外的特权:   [PolicyRule {APIGroups:[“”],资源:[“ services”],动词:[“ get”]}   PolicyRule {APIGroups:[“”],资源:[“ services”],动词:[“ list”]}   PolicyRule {APIGroups:[“”],资源:[“ services”],动词:[“ watch”]}   PolicyRule {APIGroups:[“”],资源:[“ endpoints”],动词:[“ get”]}   PolicyRule {APIGroups:[“”],资源:[“ endpoints”],动词:[“ list”]}   PolicyRule {APIGroups:[“”],资源:[“ endpoints”],动词:[“ watch”]}   PolicyRule {APIGroups:[“”],资源:[“ secrets”],动词:[“ get”]}   PolicyRule {APIGroups:[“”],资源:[“ secrets”],动词:[“ list”]}   PolicyRule {APIGroups:[“”],资源:[“ secrets”],动词:[“ watch”]}   PolicyRule {APIGroups:[“扩展名”],资源:[“ ingress”],   动词:[“ get”]} PolicyRule {APIGroups:[“扩展名”],   资源:[“ ingresses”],动词:[“ list”]}   PolicyRule {APIGroups:[“扩展名”],资源:[“ ingress”],   动词:[“ watch”]}] user=&{IzoPi4a@gmail.com [system:authenticated]   映射[user-assertion.cloud.google.com:[ADKE0IBz9kwSuZRZkfbLil8iC / ijcmJJmuys2DvDGxoxQ5yP6Pdq1IQs3JRwDmd / lWm2vGdMXGB4h1QKiwx + 3uV2ciTb / oQNtkthBvONnVp4fJGOSW1S + 8O8dqvoUNRLNeB5gADNn1TKEYoB + JvRkjrkTOxtIh7rPugLaP5Hp7thWft9xwZqF9U4fgYHnPjCdRgvMrDvGIK8z7ONljYuStpWdJDu7LrPpT0L]]}   ownerrules = [PolicyRule {APIGroups:[“ authorization.k8s.io”]],   资源:[“ selfsubjectaccessreviews”“ selfsubjectrulesreviews”],   动词:[“ create”]} PolicyRule {NonResourceURLs:[“ / api”“ / api / ”“ / apis”   “ / apis / ”“ / healthz”“ / openapi”“ / openapi / ”“ /swagger-2.0.0.pb-v1”   “ /swagger.json”“ / swaggerapi”“ / swaggerapi / ”“ / version”“ / version /”],   动词:[“ get”]}] ruleResolutionErrors = []

问题仅在于此部分,另一个已成功创建:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch

基于文档(https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control),我尝试执行此命令,但仍然收到相同的错误

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=MY_EMAIL_THAT_I_LOGIN_INTO_GCP

有人解决过这个问题吗?还是不起作用?

我正在尝试创建一个没有loadBalancer的kubernetes集群,以便在我的本地机器(minikube)上便宜,我没有这样的问题。

2 个答案:

答案 0 :(得分:7)

因此,对于试图在GKE上安装traefik的每个人,您都会陷入该错误消息,只需先执行https://stackoverflow.com/a/46316672/1747159 

# Get password value
$ gcloud container clusters describe CUSTER_NAME --zone ZONE_NAME | grep password

# Pass username and password parameters
$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml --username=admin --password=PASSWORD

感谢Nicola Ben帮助我弄清楚了

答案 1 :(得分:2)

这里的主要问题是您当前的用户没有足够的权限执行此操作。 创建必要的绑定:

kubectl create clusterrolebinding cluster-admin-binding \                                               
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)

感谢istio的想法。

相关问题
最新问题