Error from server (Forbidden): error when creating .. : clusterroles.rbac.authorization.k8s.io …: attempt to grant extra privileges:

Question

Failed to create clusterroles. <> already assigned as the roles of \"container engine admin\" & \"container engine cluster admin\"

Error from server (Forb         


        

Answer 1

I've got the same problem on Google Kubernetes Engine.

According to the answer of enj and the comment of ccyang2005 please find the following snipet who solve my problem :)

Step 1 : Get your identity

gcloud info | grep Account

Will output you something like Account: [myname@example.org]

Step 2 : grant cluster-admin to your current identity

kubectl create clusterrolebinding myname-cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=myname@example.org

Will output somthing like Clusterrolebinding "myname-cluster-admin-binding" created

---

After that, you'll be able to create CusterRoles

Answer 2

Based on https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control

Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create.

An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRolepermissions.

This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.

So you need to bind your account to a cluster admin role.