IAM Archives - vEducate.co.uk

The Issue

I stood up my first ever GKE cluster! Woo, go me!

However when I was trying to setup Tanzu Service Mesh, I hit issues such as:

Error from server (Forbidden): error when creating "operator-deployment.yaml": roles.rbac.authorization.k8s.io is forbidden: User "[email protected]" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "vmware-system-tsm": requires one of ["container.roles.create"] permission(s).

The Cause

This is because your initial Kubernetes login has no cluster level permissions, due to the RBAC setup.

The Fix

You need to create some new Cluster Level roles and bind to them with your account, or use the existing ones.

As this is a demo environment. I just bound my account to the out-of-the-box cluster-admin ClusterLevelRole (that is a mouthful!).

kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=[gcp user email]

# Example
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
[email protected]

If you need to double check with google account you are using, you can run:

gcloud info | grep Account

Regards

Follow @Saintdle

Dean Lewis

https://console.cloud.google.com/invitation?project=[your-project-id]&account=[the-account-email-invited]&memberEmail=[the-account-email-invited] Example https://console.cloud.google.com/invitation?project=veducate-demo&[email protected]&[email protected]

vEducate.co.uk

Fixing issues and blogging

Tag Archives: IAM

GKE – User cannot create resource – requires one of [“container.roles.create”] permission(s)

The Issue

The Cause

The Fix

Google Cloud – Invitation email not received – Project IAM role pending

The Issue

The Cause

The Fix