Terraform-provider-kubernetes: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
Hi,
I'm running into this issue trying to bootstrap a k8s cluster using terraform
Terraform v0.11.10
+ provider.kubernetes v1.3.0
I want to apply the following role binding:
apiVersion: v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-role-binding
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
I converted it into a terraform resource like this:
resource "kubernetes_cluster_role_binding" "tiller" {
metadata {
name = "tiller-role-binding"
}
role_ref {
kind = "ClusterRole"
name = "cluster-admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "tiller"
namespace = "kube-system"
}
}
When I run terraform apply I get the following diff:
kubernetes_cluster_role_binding.tiller: Creating...
metadata.#: "" => "1"
metadata.0.generation: "" => "<computed>"
metadata.0.name: "" => "tiller-role-binding"
metadata.0.resource_version: "" => "<computed>"
metadata.0.self_link: "" => "<computed>"
metadata.0.uid: "" => "<computed>"
role_ref.%: "" => "3"
role_ref.api_group: "" => "rbac.authorization.k8s.io"
role_ref.kind: "" => "ClusterRole"
role_ref.name: "" => "cluster-admin"
subject.#: "" => "1"
subject.0.api_group: "" => "rbac.authorization.k8s.io"
subject.0.kind: "" => "ServiceAccount"
subject.0.name: "" => "tiller"
subject.0.namespace: "" => "kube-system"
Terraform adds subject.0.api_group.
If I apply the changes I get the following error:
1 error(s) occurred:
* kubernetes_cluster_role_binding.tiller: 1 error(s) occurred:
* kubernetes_cluster_role_binding.tiller: ClusterRoleBinding.rbac.authorization.k8s.io "tiller-role-binding" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
cromega
All 11 comments
To work around this, I've explicitly set subject { api_group = "" }. The underlying code is incorrectly assigning the default value of api_group to "rbac.authorization.k8s.io" inside of the subject.
mbarrien
on 1 Nov 2018
This works for me:
resource "kubernetes_cluster_role_binding" "tiller" {
metadata {
name = "tiller"
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = "system:serviceaccount:kube-system:tiller"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
}
shaneramey
on 1 Nov 2018
@mbarrien yep, it works like that, thanks.
cromega
on 2 Nov 2018
i have the same issue. workaround above also works for me.
woz5999
on 10 Nov 2018
Although this works for me I think it's not really nice having to specify that. Also for newcomers could be a problem since if not set exactly like that it fails and in some cases it force a new resource every time (if role_ref api_group is not set).
resource "kubernetes_cluster_role_binding" "cluster_admin" {
metadata {
name = "eks-admin"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
api_group = ""
name = "eks-admin"
kind = "ServiceAccount"
namespace = "kube-system"
}
}
ntrp
on 12 Nov 2018
Thanks to this issue and the example by @ntrp I got it to work. However, it is super confusing and took me a long time to figure out. This is a bug and should be fixed.
Here is the Kubernetes file:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: heapster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
this is the converted document using the Kubernetes provider:
# Heapster RBAC file converted from:
# https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml
#
# the heapster file is part of the official AWS EKS Kubernetes Web UI (Dashboard)
# tutorial: https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html
resource "kubernetes_cluster_role_binding" "heapster" {
metadata {
name = "heapster"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "system:heapster"
}
subject {
api_group = ""
kind = "ServiceAccount"
name = "heapster"
namespace = "kube-system"
}
}
without the empty api_group = "" it does not work. It will produce the following error message:
* kubernetes_cluster_role_binding.heapster: ClusterRoleBinding.rbac.authorization.k8s.io "heapster" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
It is a bug because according to the documentation the api_group is optional and only applies to User and Group.
Jeeppler
on 22 Dec 2018
yep, its a bug pls fix
Schema says its optional
https://github.com/terraform-providers/terraform-provider-kubernetes/blob/master/kubernetes/schema_rbac.go#L29-L35
Had to do
subject {
api_group = ""
}
kzap
on 7 Jan 2019
Any plans to fix this soon?
Sudharma
on 30 Jan 2019
Just went into the same issue here. I'll try the @shaneramey but a simple fix would be greatly appreciated.
RiceBowlJr
on 20 Feb 2019
I had the same issue just with the kubernetes_role_binding. I think it's relevant
confiq
on 20 Feb 2019
The problem is that this forces a new resource so the clustersterrolebinding is deleted and recreated on each run.
Natalique
on 21 Feb 2019
Related issues
noahbirrer-8451
路
3Comments
pdecat
路
4Comments
dhild
路
4Comments
heidemn
路
4Comments
bdronneau
路
4Comments
Most helpful comment
To work around this, I've explicitly set
subject { api_group = "" }. The underlying code is incorrectly assigning the default value of api_group to "rbac.authorization.k8s.io" inside of the subject.