ingress-nginx: Failed when running rbac.yaml by permission denied.

Recently I upgrade my k8s to version 1.8 and enabled RBCA (parallelly with ABCA) and encountered difficulty when deploy ingress-nginx, this is the error information:

\# kubectl create -f rbac.yaml

serviceaccount “nginx-ingress-serviceaccount” created rolebinding “nginx-ingress-role-nisa-binding” created clusterrolebinding “nginx-ingress-clusterrole-nisa-binding” created Error from server (Forbidden): error when creating “rbac.yaml”: clusterroles.rbac.authorization.k8s.io “nginx-ingress-clusterrole” is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:[“configmaps”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“configmaps”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“endpoints”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“endpoints”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“nodes”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“nodes”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“pods”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“pods”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“secrets”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“secrets”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“nodes”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“services”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“services”], APIGroups:[“”], Verbs:[“list”]} PolicyRule{Resources:[“services”], APIGroups:[“”], Verbs:[“watch”]} PolicyRule{Resources:[“ingresses”], APIGroups:[“extensions”], Verbs:[“get”]} PolicyRule{Resources:[“ingresses”], APIGroups:[“extensions”], Verbs:[“list”]} PolicyRule{Resources:[“ingresses”], APIGroups:[“extensions”], Verbs:[“watch”]} PolicyRule{Resources:[“events”], APIGroups:[“”], Verbs:[“create”]} PolicyRule{Resources:[“events”], APIGroups:[“”], Verbs:[“patch”]} PolicyRule{Resources:[“ingresses/status”], APIGroups:[“extensions”], Verbs:[“update”]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:[“selfsubjectaccessreviews”], APIGroups:[“authorization.k8s.io”], Verbs:[“create”]} PolicyRule{NonResourceURLs:[“/api” “/api/" “/apis” "/apis/” “/healthz” “/swagger-2.0.0.pb-v1” “/swagger.json” “/swaggerapi” “/swaggerapi/" “/version”], Verbs:[“get”]}] ruleResolutionErrors=[] Error from server (Forbidden): error when creating “rbac.yaml”: roles.rbac.authorization.k8s.io “nginx-ingress-role” is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:[“configmaps”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“pods”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“secrets”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“namespaces”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“configmaps”], ResourceNames:[“ingress-controller-leader-nginx”], APIGroups:[“”], Verbs:[“get”]} PolicyRule{Resources:[“configmaps”], ResourceNames:[“ingress-controller-leader-nginx”], APIGroups:[“”], Verbs:[“update”]} PolicyRule{Resources:[“configmaps”], APIGroups:[“”], Verbs:[“create”]} PolicyRule{Resources:[“endpoints”], APIGroups:[“”], Verbs:[“get”]}] user=&{admin 0 [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:[“selfsubjectaccessreviews”], APIGroups:[“authorization.k8s.io”], Verbs:[“create”]} PolicyRule{NonResourceURLs:[“/api” "/api/” “/apis” “/apis/" “/healthz” “/swagger-2.0.0.pb-v1” “/swagger.json” “/swaggerapi” "/swaggerapi/” “/version”], Verbs:[“get”]}] ruleResolutionErrors=[]

Not sure how to fix it?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 3
  • Comments: 18 (4 by maintainers)

Most upvoted comments

If you’re having this problem on GKE also try:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)

Per: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control

This should initialize your user as a cluster admin under RBAC.

+136
dafstone on Mar 9, 2018

@aledbf ah, I got it, I had to give myself cluster admin permissions first.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-admins
subjects:
- kind: User
  name: piperj
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""
+15
jpiper on Nov 8, 2017

Hello Folks,

I am facing same Forbidden error, even after executing kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) . i already have created cluster_role_binding and/or role_binding & now when I am going to create role and/or cluster_role for same, it is giving me same error. can any one help in this issue ?

+8
kvishweshwar on Aug 3, 2018

I almost put everything I known to ABAC:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "configmaps": "*", "pods": "*", "namespaces": "*", "endpoints": "*" }}

And I’m having the config to allow me login as admin.

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/certs/ca.crt
    server: https://eval.cloud.local
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    user: Administrator
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: Administrator
  user:
    as-user-extra: {}
    password: "xxxxxxxxxxxxx"
    username: admin
+3
jeffwji on Nov 8, 2017

Facing the same issue when trying to setup openfaas on gke (1.8+ version)

Error from server (Forbidden): error when creating "yaml/rbac.yml": roles.rbac.authorization.k8s.io "faas-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["deployments"], APIGroups:["extensions"], Verbs:["update"]}] user=&{Mahesh.Veerabathiran@gmail.com  [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

I ran the commands suggested to fix the issue but it did not solve the problem, kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account)

kubectl create clusterrolebinding "cluster-admin-$(whoami)" --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"

Your help is much appreciated!

+2
maaraoffl on Mar 16, 2018

If anyone else is seeing something like this on GKE:

Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-clusterrole" is forbidden: attempt to grant extra privileges: [{[list] [] [configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] [endpoints] [] []} {[watch] [] [endpoints] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []} {[list] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[get] [] [nodes] [] []} {[get] [] [services] [] []} {[list] [] [services] [] []} {[watch] [] [services] [] []} {[get] [extensions] [ingresses] [] []} {[list] [extensions] [ingresses] [] []} {[watch] [extensions] [ingresses] [] []} {[create] [] [events] [] []} {[patch] [] [events] [] []} {[update] [extensions] [ingresses/status] [] []}] user=&{SOMETHING@YOURPROJECTNAME.iam.gserviceaccount.com [system:authenticated] map[user-assertion.cloud.google.com:xxxxxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]

See the email with caps? If you run this:

kubectl create clusterrolebinding cluster-admin-SOMETHING --clusterrole=cluster-admin --user=SOMETHING@YOURPROJECT.iam.gserviceaccount.com

and it’ll let you apply the mandatory.yaml.

+1
djvs on Mar 15, 2019
Read more comments on GitHub
← ingress-nginx: Fail to resolve auth-url DNS
ingress-nginx: Few metrics are missing in Ingress nginx →