Fail fast if missing cluster role cluster-admin
drnic opened this issue · 1 comments
drnic commented
The installation of istio/knative requires that the user has cluster-admin. For example:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
If the user forgets to do this on a new cluster then the installation of knative/istio will fail in an ugly manner that's non-obvious for the problem/solution, e.g.:
Error from server (Forbidden): error when creating "STDIN": clusterroles.rbac.authorization.k8s.io "istio-cleanup-secrets-istio-system" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["list"]} PolicyRule{APIGroups:[""], Resources:["secrets"], Verbs:["delete"]}] user=&{drnic@starkandwayne.com [system:authenticated] map[user-assertion.cloud.google.com:[AGKDXmoggBmpMptAdRwhdyxNXeD3RzeCKsJiMudSQFlhJvIKDykS8cwaLyO/oCltgwLKYPjYcytVxlo2Fof5zL9UX+A3rz32/OlT5KgWUxkNdnt8uMEo9PsgSRb/TGUFVv7L1RmzAYnf6Md3qZ2nUH2IoD9FoFnz/CMAKM0Hy5ICLNxPLs/thL2dj9pfyx1o91vf+Y2b4uzeySMO2er9QlZQ/N/T5pOj5gfzDViVmO2I]]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/openapi" "/openapi/*" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[]
Could knctl install
check first that the current user has cluster role cluster-admin
?
cppforlife commented
yup, i was thinking about something like this before but never got to it. there is some command in kubectl (can-i-do?) that potentially may be helpful in terms of checking perms.