问题
I'm trying to create a new ClusterRole in a Private Cluster which I'm administering from a Jumpbox but keep hitting the "forbidden: attempt to grant extra privileges" error.
I am authenticated with gcloud as the default compute service account and this has the Kubernetes Engine Admin role.
I have created a cluster role binding for the gcloud service account using
kubectl create ClusterRoleBinding sa-admin-binding --ClusterRole=cluster-admin --User=xxxxxxxx-service-account@xxxx.developer.gserviceaccount.com
When i try to create the cluster role however I get the following error.
Error from server (Forbidden): error when creating "role.yml": clusterroles.rbac.authorization.k8s.io "pod-viewer" is forbidden: attempt to grant extra privileges: [{[list] [] [pods] [] []}] user=&{115268482330004182284 [system:authenticated] map[user-assertion.cloud.google.com:[AKUJVpkbsn........
What I don't understand is why the error comes back with a 'numbered' user account as opposed to the service account I'm authenticated with.
I can add the ClusterRoleBinding to cluster-admin using my own gmail account, authenticate with my own account and then create the new role without problem, but adding the clusterrolebinding for a service account, and authenticating as that service account doesn't seem to grant the permission to create the role.
Interestingly I can add the clusterrolebinding using the numbered account in the error above and that also works but doesn't help me to script the setup as I don't know what that number is in advance nor where it's coming from.
回答1:
well...I later found that the numbered account was actually the 'uniqueId' of the Service Account in gclouds IAM console. Not sure why for service accounts it uses that but for user accounts it uses the email address but here's what I'm now using..
CLUSTER_ADMIN_ID=`gcloud iam service-accounts describe <my-service-account>@<my-project>.iam.gserviceaccount.com --format="value(uniqueId)"`
followed by
kubectl create ClusterRoleBinding <mybinding>-cluster-admin --clusterrole=cluster-admin --user=$CLUSTER_ADMIN_ID
and this allows the service account to now administer the cluster.
来源:https://stackoverflow.com/questions/54770198/creating-a-clusterrole-as-the-default-compute-service-account-fails-with-extra-p