Controller can't be deployed on GKE

Question

Controller can't be deployed on GKE

wjimenez5271 opened this issue 6 years ago · 5 comments

It throws this error:

time="2018-08-28T17:34:30Z" level=info msg="Using InCluster k8s config"
panic: customresourcedefinitions.apiextensions.k8s.io "elasticsearchclusters.enterprises.upmc.com" is forbidden: User "system:serviceaccount:operator:elasticsearch-operator" cannot get customresourcedefinitions.apiextensions.k8s.io at the cluster scope: clusterrole.rbac.authorization.k8s.io "elasticsearch-operator" not found
Unknown user "system:serviceaccount:operator:elasticsearch-operator"

Answer 1 · 2018-08-28T17:47:00.000Z

Was hoping I was just missing something in the docs about pre-reqs on GKE, but couldn't find any. Thanks in advance for your help! Also this is with 1.9.7-gke.5 of Kubernetes

Answer 2 · 2018-08-28T18:26:33.000Z

Did the RBAC stuff apply correctly? Seems like the service account and role didn't get created.

Answer 3 · 2018-08-29T04:44:25.000Z

@stevesloka where does that get applied? Maybe I missed a step?

Answer 4 · 2018-08-29T16:14:41.000Z

Here is what I see when I deploy it:

serviceaccount "elasticsearch-operator" created
clusterrolebinding.rbac.authorization.k8s.io "elasticsearch-operator" created
deployment.extensions "elasticsearch-operator" created
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/upmc-enterprises/elasticsearch-operator/master/example/controller.yaml": clusterroles.rbac.authorization.k8s.io "elasticsearch-operator" is forbidden: attempt to grant extra privileges:

then it lists out a ton of API verbs

Also I tried upgrading the GKE cluster, same issue with 1.10.6-gke.2

Answer 5 · 2018-08-31T02:01:14.000Z

Turns out in GKE you first need to grant your identity rights to create these RBAC permissions objects: https://stackoverflow.com/questions/44349987/error-from-server-forbidden-error-when-creating-clusterroles-rbac-author