GKE Issues

RBAC on Google Container Engine (GKE)

When you try to create ClusterRole (casskop, etc.) on GKE Kubernetes cluster, you will probably run into permission errors:

<....>
failed to initialize cluster resources: roles.rbac.authorization.k8s.io
"casskop" is forbidden: attempt to grant extra privileges:
<....>

This is due to the way Container Engine checks permissions. From Google Container Engine docs:

note

Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create. An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions. This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.

To overcome this, you must grant your current Google identity cluster-admin Role:

# get current google identity
$ gcloud info | grep Account
Account: [myname@example.org]

# grant cluster-admin to your current identity
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created

Pod and volumes can be scheduled in different zones using default provisioned

The default provisioner in GKE does not have the volumeBindingMode: "WaitForFirstConsumer" option that can result in a bad scheduling behaviour. We use one of the following files to create a storage class:

config/samples/gke-storage-standard-wait.yaml
config/samples/gke-storage-ssd-wait.yaml (if you have ssd disks)

RBAC on Google Container Engine (GKE)​

Pod and volumes can be scheduled in different zones using default provisioned​

RBAC on Google Container Engine (GKE)

Pod and volumes can be scheduled in different zones using default provisioned