GKE Issues
RBAC on Google Container Engine (GKE)
When you try to create ClusterRole
(casskop
, etc.) on GKE Kubernetes cluster, you will probably run into permission errors:
<....>
failed to initialize cluster resources: roles.rbac.authorization.k8s.io
"casskop" is forbidden: attempt to grant extra privileges:
<....>
This is due to the way Container Engine checks permissions. From Google Container Engine docs:
Because of the way Container Engine checks permissions when you create a Role or ClusterRole, you must first create a RoleBinding that grants you all of the permissions included in the role you want to create. An example workaround is to create a RoleBinding that gives your Google identity a cluster-admin role before attempting to create additional Role or ClusterRole permissions. This is a known issue in the Beta release of Role-Based Access Control in Kubernetes and Container Engine version 1.6.
To overcome this, you must grant your current Google identity cluster-admin
Role:
# get current google identity
$ gcloud info | grep Account
Account: [myname@example.org]
# grant cluster-admin to your current identity
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created
Pod and volumes can be scheduled in different zones using default provisioned
The default provisioner in GKE does not have the volumeBindingMode: "WaitForFirstConsumer"
option that can result in
a bad
scheduling behaviour.
We use one of the following files to create a storage class:
- config/samples/gke-storage-standard-wait.yaml
- config/samples/gke-storage-ssd-wait.yaml (if you have ssd disks)