服務器錯誤（禁止）：創建..時出錯：：clusterroles.rbac.authorization.k8s.io ...：嘗試授予額外權限：

Question

未能創建羣集。 <>已經被指定爲「容器引擎管理」 &「容器引擎集羣管理」

Error from server (Forbidden): error when creating "prometheus-operator/prometheus-operator-cluster-role.yaml": clusterroles.rbac.authorization.k8s.io "prometheus-operator" is forbidden: attempt to grant extra privileges: [{[create] [extensions] [thirdpartyresources] [] []} {[*] [monitoring.coreos.com] [alertmanagers] [] []} {[*] [monitoring.coreos.com] [prometheuses] [] []} {[*] [monitoring.coreos.com] [servicemonitors] [] []} {[*] [apps] [statefulsets] [] []} {[*] [] [configmaps] [] []} {[*] [] [secrets] [] []} {[list] [] [pods] [] []} {[delete] [] [pods] [] []} {[get] [] [services] [] []} {[create] [] [services] [] []} {[update] [] [services] [] []} {[get] [] [endpoints] [] []} {[create] [] [endpoints] [] []} {[update] [] [endpoints] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{<<my_account>>@gmail.com [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]

Answer 1

的基於https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control

，因爲路集裝箱引擎的角色，當你創建一個檢查權限角色或者ClusterRole，你必須首先創建一個RoleBinding，授予你想要創建的角色中包含的所有權限。

一個示例解決方法是在嘗試創建其他角色或ClusterRolepermissions之前創建一個RoleBinding，該角色綁定爲您的Google身份提供羣集管理角色。

這是Kubernetes和Container Engine 1.6版中基於角色的訪問控制Beta版中的已知問題。

因此，您需要將您的帳戶綁定到羣集管理員角色。

Answer 2

我在Google Kubernetes引擎上遇到了同樣的問題。

根據ENJ的答案和ccyang2005請查找以下snipet誰解決我的問題:)

步驟1的評論：得到您的認同

gcloud info | grep Account 

將輸出你類似Account: [myname@example.org]

第2步：將cluster-admin授予您目前的身份

像 Clusterrolebinding "myname-cluster-admin-binding" created

---

之後

kubectl create clusterrolebinding myname-cluster-admin-binding \ 
    --clusterrole=cluster-admin \ 
    --user=myname@example.org 

將輸出的財產以後，你就可以創建CusterRoles