The Issue
I stood up my first ever GKE cluster! Woo, go me!
However when I was trying to setup Tanzu Service Mesh, I hit issues such as:
Error from server (Forbidden): error when creating "operator-deployment.yaml": roles.rbac.authorization.k8s.io is forbidden: User "[email protected]" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "vmware-system-tsm": requires one of ["container.roles.create"] permission(s).
The Cause
This is because your initial Kubernetes login has no cluster level permissions, due to the RBAC setup.
The Fix
You need to create some new Cluster Level roles and bind to them with your account, or use the existing ones.
As this is a demo environment. I just bound my account to the out-of-the-box cluster-admin ClusterLevelRole (that is a mouthful!).
kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=[gcp user email] # Example kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ [email protected]
If you need to double check with google account you are using, you can run:
gcloud info | grep Account
Regards