GKE requires special IAM rights

[marccarre]

Problem

Unless you have Kubernetes Engine Admin (or at least more than Kubernetes Engine Developer) IAM role in GCP, installing the agent will fail with:

$ curl -Ls https://get.dev.weave.works | sh -s -- --token=... --gke
Downloading the Weave Cloud installer...  
Preparing for Weave Cloud setup
Checking kubectl & kubernetes versions
Connecting cluster to "marc-test" (id: dazzling-fog-16) on Weave Cloud
Installing Weave Cloud agents on gke_marcus-gke-test_us-central1-a_marc-test at https://23.236.57.225
Could not create clusterrolebinding. GKE role "Kubernetes Engine Admin" (containers.admin) required to create resources.
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "marc@weave.works" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission.
Full output:
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "marc@weave.works" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission.

Potential solutions

1. Add something like the below to the instructions:

   • Go to console.cloud.google.com > "IAM & admin" > "IAM"
   • Select your username > "Roles" > "Kubernetes Engine" > "Kubernetes Engine Admin"

2. Create a tighter integration with GCP/GKE to do this automatically for the end-user, see also:

   • weaveworks/service/issues/1645
   • weaveworks/service/issues/1764
   • weaveworks/service/issues/1765
   • https://cloud.google.com/iam/reference/rest/v1/projects.roles/create

[marccarre]

Potentially related to weaveworks/launcher/issues/189