Grant cluster admin to current user
zinob opened this issue · 7 comments
If you receive an error along the lines of
Error from server (Forbidden): error when creating "examples/install/cluster-operator/02-role.yaml": roles.rbac.authorization.k8s.io "strimzi-cluster-operator-role" is forbidden: attempt to grant extra privilege
when running kubectl create -f examples/install/cluster-operator
strimzi.github.io/docs/0.4.0/0.4.0.html
Line 190 in 43dc2dc
You (apparently) need to grant your own user
kubectl create clusterrolebinding strimzi-cluster-operator-role --clusterrole=cluster-admin --user=YourUserName@YourDomain.TLD
(not sure about the strimzi-cluster-operator-role -part yet)@zinob this wasn't in the docs for 0.4.0 but this is now explained in the docs on master here: http://strimzi.io/docs/master/#deploying_to_openshift . In your opinion would that have been enough of a note for you to avoid the problem, or would you have needed further explanation?
I am sure it would have helped if i was trying to deploy to OpenShift but since I am trying to get it to work on kubernettes it isn't that much help.
Sorry, I was a bit tired yesterday and didn't really give great feedback. I have set the right name-space (since this should be relevant for Kubernetes as well) (and i am sure it was working once, just for good WTF-measure) the operator is able to create the Zookeeper nodes, but then i get this in the error log:
io.fabric8.kubernetes.client.KubernetesClientException: Got unexpected GET status code 403: Forbidden
at io.strimzi.operator.cluster.operator.resource.WorkaroundRbacOperator.execute(WorkaroundRbacOperator.java:118) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.strimzi.operator.cluster.operator.resource.WorkaroundRbacOperator.lambda$doReconcile$0(WorkaroundRbacOperator.java:58) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:273) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_171]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [cluster-operator-0.6.0-SNAPSHOT.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
"
This error message is probably more helpful but i missed it since it was logged at INFO
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/serviceaccounts/my-cluster-kafka. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. serviceaccounts "my-cluster-kafka" is forbidden: User "system:serviceaccount:default:strimzi-cluster-operator" cannot get serviceaccounts in the namespace "default": Unknown user "system:serviceaccount:default:strimzi-cluster-operator".
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:312) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:295) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:787) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:217) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:184) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.strimzi.operator.cluster.operator.resource.AbstractResourceOperator.lambda$reconcile$0(AbstractResourceOperator.java:81) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:273) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_171]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [cluster-operator-0.6.0-SNAPSHOT.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
@zinob the problem is that the Cluster Operator isn't able to get the ServiceAccounts
in your namespace. That a privilege that's granted in examples/install/cluster-operator/02-ClusterRole-strimzi-cluster-operator-role.yaml
.
@tombentley can we close this issue? even because it's opened in the wrong repo.
Since o.4.0 this has all changed quite a lot, both documentation and implementation-wise, so let's close this.