Can't deploy Flux standalone to GKE on Kubernetes 1.6.2

[mongrelion]

I'm trying to deploy Flux standalone to my Kubernetes cluster running in Google Cloud (with GKE) and during the deployment it gives me the following error:

serviceaccount "weave-flux" created
deployment "weave-flux-agent" created
clusterrolebinding "weave-flux" created
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io "weave-flux" is forbidden: attempt to grant extra privileges: [{[*] [*] [*] [] []} {[*] [] [] [] [*]}] user=&{[email protected]  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /swaggerapi /swaggerapi/* /version]}] ruleResolutionErrors=[]

I replaced my corporate email from the output to [email protected] for privacy/security reasons.

Steps to reproduce

1. Create a Kubernetes cluster in Google Container Engine. Make sure that the Kubernetes version is 1.6.2. I did it with this Terraform script:

   resource "google_container_cluster" "gke" {
     name               = "my-gke"
     zone               = "europe-west1-b"
     initial_node_count = 1
     node_version       = "1.6.2"
   
     additional_zones = []
   
     master_auth {
       username = "foo"
       password = "var"
     }
   
     node_config {
       oauth_scopes = [
         "https://www.googleapis.com/auth/compute",
         "https://www.googleapis.com/auth/devstorage.read_only",
         "https://www.googleapis.com/auth/logging.write",
         "https://www.googleapis.com/auth/monitoring",
       ]
     }
   }
   

2. Do the gcloud step to get a hold of the kubectl configuration and then:

   $ kubectl apply -n kube-system -f "https://cloud.weave.works/k8s/v1.6/flux"
   

You should see the same output stated above.

[squaremo]

Thanks Carlos. Clearly the GKE environment is a more locked down than your average Kubernetes cluster! We'll have to figure out what permissions we are allowed to grant. Do you know GKE well?

[mongrelion]

@squaremo unfortunately I do not have that much experience with GKE, sorry. Is there anything else I can help you with to debug this issue?

[squaremo]

The note under here https://cloud.google.com/container-engine/docs/role-based-access-control#defining_permissions_in_a_role suggests that you need to assign your own account a role with the permissions you wish to grant. If you have not already, it may be worth trying that.

[mongrelion]

@squaremo got it!
I just double checked and I'm the owner of the project. I also created a new Service Account in Google Cloud to ensure that it also has the right role (I also made the key an owner of the project).
Same story.

[squaremo]

I just double checked and I'm the owner of the project. I also created a new Service Account in Google Cloud to ensure that it also has the right role (I also made the key an owner of the project).
Same story.

The note in the GKE docs suggests that you need to give your account a cluster-admin role, and I am not clear from your description that's what you did. In particular, the docs imply it's something done through kubectl, rather than through the GKE user interface. (Admittedly I am not familiar with the latter)

[samb1729]

@mongrelion by default your user won't be assigned the cluster-admin role. You can assign the role by running kubectl create clusterrolebinding john-cluster-admin --clusterrole=cluster-admin [email protected]

[marccarre]

In case someone lands on this issue before reaching Flux's documentation, the gcloud/kubectl one-liner is:

kubectl create clusterrolebinding "cluster-admin-$(whoami)" \
  --clusterrole=cluster-admin \
  --user="$(gcloud config get-value core/account)"