Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RBAC: cluster-admin not installed by default

See original GitHub issue

I was facing an issue installing a chart with helm. The template contains some clusterrole and clusterrolebinding and it was failing because tiller wouldn’t have permissions

$ helm install --name concourse stable/concourse Error: release concourse failed: clusterroles.rbac.authorization.k8s.io “concourse-web” is forbidden: attempt to grant extra privileges: [{[get] [] [secrets] [] []}] user=&{system:serviceaccount:kube-system:tiller 2b72831d-94bb-11e8-9677-1866dae5f69c [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[clusterroles.rbac.authorization.k8s.io “cluster-admin” not found]

It turns out that the problem is that cluster-admin is actually not found:

$ kubectl get clusterrole cluster-admin
Error from server (NotFound): clusterroles.rbac.authorization.k8s.io "cluster-admin" not found

However, in multiple places one can read something like “The cluster-admin ClusterRole exists by default in your Kubernetes cluster” (For example here and here)

After installing the cluster role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

I can now install the helm template. Not sure if it is a known limitation in microk8s, but I write it in case somebody faces the same issue.

Issue Analytics

State:
Created 5 years ago
Reactions:11
Comments:6 (4 by maintainers)

Top GitHub Comments

13reactions

matt-everettcommented, Sep 20, 2018

I have managed to enable RBAC with the following commands: -

sed -i -e '$a\' /var/snap/microk8s/current/args/kube-apiserver
echo '--authorization-mode=RBAC' >> /var/snap/microk8s/current/args/kube-apiserver
systemctl restart snap.microk8s.daemon-apiserver
kubectl apply -f rbac.yaml

Where rbac.yaml is: -

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: microk8s-rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

Thought I’d post it here in case it’s useful.

Also, worth saying that if there was an option in microk8s for RBAC, I’d use it.

4reactions

ktsakalozoscommented, Aug 6, 2018

We haven’t enabled RBAC in microk8s. For sure this is something we should look into in the future.

Thank you for reporting this @gonfva