Charts: rabbitmq-ha fails with "attempt to grant extra privileges"

Created on 12 Feb 2018  路  6Comments  路  Source: helm/charts

Is this a request for help?:

Yes

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

BUG REPORT

Version of Helm and Kubernetes:

$ helm version
Client: &version.Version{SemVer:"v2.8.0", GitCommit:"14af25f1de6832228539259b821949d20069a222", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.8.0", GitCommit:"14af25f1de6832228539259b821949d20069a222", GitTreeState:"clean"}

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T10:09:24Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"7+", GitVersion:"v1.7.12-gke.0", GitCommit:"f4f0bedb82a57dc32b21b8f15fe01e0b8411356b", GitTreeState:"clean", BuildDate:"2018-01-05T03:35:43Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Which chart:
stable/rabbitmq-ha

What happened:

When I run helm install stable/rabbitmq-ha I got the following error

Error: release telling-lamb failed: roles.rbac.authorization.k8s.io "telling-lamb-rabbitmq-ha" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]}] user=&{system:serviceaccount:kube-system:default 3e676c1b-06b5-11e8-9b60-42010a8001ce [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

What you expected to happen:
Successful installation.

How to reproduce it (as minimally and precisely as possible):
Trying to install rabbitmq-ha on Google Kubernetes Engine.

Anything else we need to know:

picture skhaz

Most helpful comment

Thanks @bggpoort, besides that, I had to run the following command:

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

picture skhaz on 14 Feb 2018
1 🎉1 👍1

All 6 comments

This is not a specific RabbitMQ installation issue, but it's related to GKE.

See this thread on Stackoverflow:

https://stackoverflow.com/questions/44349987/error-from-server-forbidden-error-when-creating-clusterroles-rbac-author

So what you need to do is create a rolebinding for your own account which grants enough privileges to install the chart.

bggpoort picture bggpoort on 14 Feb 2018
👍1

Thanks @bggpoort, besides that, I had to run the following command:

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

skhaz picture skhaz on 14 Feb 2018
1 🎉1 👍1

@skhaz I would not advice giving cluster-admin rights to your default serviceaccount. This charts has options for role based access control so my suggestion is to use that instead.

bggpoort picture bggpoort on 14 Feb 2018
👍1

So this issue is not fixed?

tuananh picture tuananh on 21 Apr 2018

Running into this issue with minikube - without RBAC configured.

nuwang picture nuwang on 25 Apr 2018

+1

dichque picture dichque on 31 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

onyxet picture onyxet  路  3Comments
richardalberto picture richardalberto  路  3Comments
mickengland picture mickengland  路  3Comments
out-of-band picture out-of-band  路  3Comments
dene14 picture dene14  路  3Comments