Closed chrissound closed 6 years ago
I've pulled the latest code from the examples and I'm not running into the following error:
E0517 10:12:43.647494 1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:191: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-lego:kube-lego" cannot list ingresses.extensions at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-lego" not found
Unknown user "system:serviceaccount:kube-lego:kube-lego"
It was due to the cluster role failing to be created:
Error from server (Forbidden): error when creating "lego/cluster-role.yaml": clusterroles.rbac.authorization.k8s.io "kube-lego" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["patch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["update"]}] user=&{master@gcpwp-ayurved-subs-staging.iam.gserviceaccount.com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
@chrissound I am having the same issue. How did you get it to create?
Follow the latest install instructions as they have changed.
So what's the solution here? Where are the latest install instructions?
Ok, if anyone is coming here from googling the error in the first post, I just manually set the RBAC resources as outlined in the example here:
https://github.com/jetstack/kube-lego/tree/master/examples/nginx
Similar issue posted here: https://github.com/jetstack/kube-lego/issues/290
I'm seeing the following event, and pod is not being started:
Even though it's all there:
Not sure if it's the due to the kube-lego/ prefix?