Open aroekene opened 5 years ago
Hey, it looks the permissions you have as user are not enough to apply the manifest as it is.
clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges
You would need something higher permissions as user, because promethus needs to scrape /metrics
from nodes
I'm having the same issue, although I don't understand this: You would need something higher permissions as user
. Would you mind elaborating?
I believe this actually has to do with the kubernetes version we were running on. It seems like after upgrading the issue with deploying disappeared. @josephtyler Which version are you running on?
We're currently on v1.13.2
This message
clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges:
means your current user (the one you are using to submit the manifest with kubectl) has fewer privileges than the Prometheus needs. For security reasons you can not give an app more privileges than the ones, you have as an user.
When applying manifest it ends with this error:
Error from server (Forbidden): error when creating "manifests-all.yaml": clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{NonResourceURLs:["/metrics"], Verbs:["get"]}] user=&{server.domain.com [system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
This is the outcome from applying before the error occurs:
Kubernetes v1.9.6