Grant cluster admin to current user

[zinob]

If you receive an error along the lines of
Error from server (Forbidden): error when creating "examples/install/cluster-operator/02-role.yaml": roles.rbac.authorization.k8s.io "strimzi-cluster-operator-role" is forbidden: attempt to grant extra privilege
when running kubectl create -f examples/install/cluster-operator

strimzi.github.io/docs/0.4.0/0.4.0.html

Line 190 in 43dc2dc

<pre class="highlight"><code>kubectl create -f examples/install/cluster-operator</code></pre>

You (apparently) need to grant your own user
kubectl create clusterrolebinding strimzi-cluster-operator-role --clusterrole=cluster-admin --user=YourUserName@YourDomain.TLD (not sure about the strimzi-cluster-operator-role -part yet)

[tombentley]

@zinob this wasn't in the docs for 0.4.0 but this is now explained in the docs on master here: http://strimzi.io/docs/master/#deploying_to_openshift . In your opinion would that have been enough of a note for you to avoid the problem, or would you have needed further explanation?

[zinob]

I am sure it would have helped if i was trying to deploy to OpenShift but since I am trying to get it to work on kubernettes it isn't that much help.

[zinob]

Sorry, I was a bit tired yesterday and didn't really give great feedback. I have set the right name-space (since this should be relevant for Kubernetes as well) (and i am sure it was working once, just for good WTF-measure) the operator is able to create the Zookeeper nodes, but then i get this in the error log:

io.fabric8.kubernetes.client.KubernetesClientException: Got unexpected GET status code 403: Forbidden
	at io.strimzi.operator.cluster.operator.resource.WorkaroundRbacOperator.execute(WorkaroundRbacOperator.java:118) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.strimzi.operator.cluster.operator.resource.WorkaroundRbacOperator.lambda$doReconcile$0(WorkaroundRbacOperator.java:58) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:273) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_171]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_171]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
"  

[zinob]

This error message is probably more helpful but i missed it since it was logged at INFO

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/serviceaccounts/my-cluster-kafka. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. serviceaccounts "my-cluster-kafka" is forbidden: User "system:serviceaccount:default:strimzi-cluster-operator" cannot get serviceaccounts in the namespace "default": Unknown user "system:serviceaccount:default:strimzi-cluster-operator".
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:312) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:295) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:787) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:217) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:184) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.strimzi.operator.cluster.operator.resource.AbstractResourceOperator.lambda$reconcile$0(AbstractResourceOperator.java:81) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:273) ~[cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_171]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_171]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [cluster-operator-0.6.0-SNAPSHOT.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]

[tombentley]

@zinob the problem is that the Cluster Operator isn't able to get the ServiceAccounts in your namespace. That a privilege that's granted in examples/install/cluster-operator/02-ClusterRole-strimzi-cluster-operator-role.yaml.

[ppatierno]

@tombentley can we close this issue? even because it's opened in the wrong repo.

[tombentley]

Since o.4.0 this has all changed quite a lot, both documentation and implementation-wise, so let's close this.