Comments (13)
colemickens
commented on August 20, 2024
2
@marcwuk https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#prerequisites_for_using_role-based_access_control
from contour.
erasmus74
commented on August 20, 2024
Further reading seems I run into this issue.
https://honeycomb.io/docs/connect/kubernetes/gke/
It would also seem this is going to be the norm soon, and users will need to bind to roles that allow the required priv escalation. https://kubernetes.io/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping
Still unsure how to make this work "out-of-box" yet.
from contour.
davecheney
commented on August 20, 2024
Hi @erasmus74
The root of the problem is GKE does not enabled RBAC if you choose the Legacy Authentication option -- which is the default when you create a GKE cluster.
The solution is to use the non GKE example
kubectl apply -f http://j.hept.io/contour-deployment-norbac
I'm going to close this, but please reopen it if you need further assistance.
Thanks
Dave
from contour.
erasmus74
commented on August 20, 2024
I did enable RBAC.
…On Wed, Nov 8, 2017 at 6:43 PM, Dave Cheney ***@***.***> wrote:
Hi @erasmus74 <https://github.com/erasmus74>
The root of the problem is GKE does not enabled RBAC if you choose the Legacy
Authentication option -- which is the default when you create a GKE
cluster.
The solution is to use the non GKE example
<https://github.com/heptio/contour#add-contour-to-your-cluster>
kubectl apply -f http://j.hept.io/contour-deployment-norbac
I'm going to close this, but please reopen it if you need further
assistance.
Thanks
Dave
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#36 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AHd0fjUnL_jnBgVGVymstXaiRurRqb0aks5s0jyhgaJpZM4QU7oU>
.
--
Regards,
Edward S
from contour.
davecheney
commented on August 20, 2024
Thanks for your reply. Looking at the response you posted that matches the error I see when I try to deploy the rbac example to a non rbac enbabled cluster.
If you use the non rbac version
kubectl apply -f http://j.hept.io/contour-deployment-norbac
You'll be fine.
from contour.
colemickens
commented on August 20, 2024
I'm seeing the same behavior with a GKE cluster running 1.9.2-gke.0. RBAC is enabled.
+ kubectl apply -f https://j.hept.io/contour-deployment-rbac
namespace "heptio-contour" created
serviceaccount "contour" created
deployment "contour" created
clusterrolebinding "contour" created
service "contour" created
Error from server (Forbidden): error when creating "https://j.hept.io/contour-deployment-rbac": clusterroles.rbac.authorization.k8s.io "contour" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}] user=&{[email protected] [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Also, I was able to install cert-manager with rbac enabled.
I have installed helm as follows:
kubectl create serviceaccount -n kube-system tiller
kubectl create clusterrolebinding tiller-binding --clusterrole=cluster-admin --serviceaccount kube-system:tiller
helm init --service-account tiller
from contour.
colemickens
commented on August 20, 2024
I've found my mistake. Contour isn't using helm. The default RBAC for users in GKE is insufficiently privileged to deploy this. I've resolved this by creating a role binding to 'cluster-admin' for my user.
from contour.
davecheney
commented on August 20, 2024
Yeah, there is a magic incantation you need to do to allow the gke admin user to create cluster roles.
I kinda see this as a gke problem, but I’d be happy to be convinced otherwise, especially if this is something we can fix in our deployment yaml.
… On 7 Feb 2018, at 15:33, Cole Mickens ***@***.***> wrote:
I've found my mistake. Contour isn't using helm. The default RBAC for users in GKE is insufficiently privileged to deploy this. I've resolved this by creating a role binding to 'cluster-admin' for my user.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
from contour.
marcwuk
commented on August 20, 2024
What is the magic incantation for GKE. Can we add this to the install guide.
from contour.
nicovogelaar
commented on August 20, 2024
I had the same problem on GKE 1.8.8 with RBAC enabled. This helped me: kubernetes-sigs/external-dns#514
from contour.
davecheney
commented on August 20, 2024
I’d be glad of a PR they links to this obscure part of the GCE documentation. I hold GCE entirely responsible for this UX paper cut, but until thy fix it (I’ve no idea if the can or will) then we should at least make it possible for people to find the answer they need.
… On 21 Apr 2018, at 20:44, Nico Vogelaar ***@***.***> wrote:
I had the same problem on GKE 1.8.8 with RBAC enabled. This helped me: kubernetes-sigs/external-dns#514
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
from contour.
djensen47
commented on August 20, 2024
What's the downside of not using RBAC?
from contour.
davecheney
commented on August 20, 2024
The downside of not using RBAC is anyone who has credentials to use your
cluster has admin on your cluster. That may be ok if its just a cluster for
experimentation, but as a company, Heptio have decided that we won't
support or recommend non RBAC deployments.
…On 3 May 2018 at 00:51, Dave Jensen ***@***.***> wrote:
What's the downside of not using RBAC?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#36 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAcA8j3rgLliWViKSmpftuNcmA7xBS3ks5tujh2gaJpZM4QU7oU>
.
from contour.
Related Issues (20)
- Annotate envoy fleet HOT 2
- Contour gateway api provisionner revert annotations HOT 3
- Periodically having `connection failure` HOT 4
- Bug: Remove unnecessary permissions in Helm Charts HOT 2
- Add a separate label for envoy or contour HOT 1
- Add support for HTTP based external auth server HOT 5
- do we have cookie based routing for httpproxy? HOT 4
- Cost saving: Feature request to enable switch to toggle Envoy compression filter HOT 3
- Allow External Auth when Fallback Certificate is used HOT 1
- JWKS Async Fetch HOT 1
- `responseTimeout` not applied for external auth extension service HOT 1
- Support Circuit breakers for extension services
- Add missing headers without overwriting in the `requestHeaderPolicy`
- HTTPRoute conflicts when specifying a fallback https listener HOT 1
- Status.LoadBalancer is empty when using service port other than 80 HOT 2
- Service AppProtocol should allow IANA standard service names like "http", "https" HOT 3
- Gateway-API: InvalidCertificateRef error if certificateRefs.group is set to "core" HOT 3
- Support for adaptive concurrency HOT 1
- PathRewitePolicy behaving weird with condition prefix and header match HOT 1
- Clarification on idle and idleConnection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from contour.