GKEのクラスタにArgoをセットアップしようしたらハマったのでメモ
起きたこと
Argo Getting Started > 2. Install the Controller and UI
下記のapplyを実行するとRequired "container.roles.create" permission.が発生
kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo/stable/manifests/install.yaml
エラー内容
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/argoproj/argo/stable/manifests/install.yaml": roles.rbac.authorization.k8s.io is forbidden: User "hoge@hoge.com" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "argo": Required "container.roles.create" permission.
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/argoproj/argo/stable/manifests/install.yaml": clusterroles.rbac.authorization.k8s.io is forbidden: User "hoge@hoge.com" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope: Required "container.clusterRoles.create" permission.
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/argoproj/argo/stable/manifests/install.yaml": clusterroles.rbac.authorization.k8
対処方法
gcloudのcloud IAMで対象のアカウントにcluster-adminの権限を与えればおk
gcloud projects add-iam-policy-binding $PROJECT \
--member=user:person@company.com \
--role=roles/container.admin
備忘録
Argoのドキュメントに
NOTE: On GKE, you may need to grant your account the ability to create new clusterroles
kubectl create clusterrolebinding YOURNAME-cluster-admin-binding --clusterrole=cluster-admin --user=YOUREMAIL@gmail.com
って書いてあるがこちらも権限が足りないため失敗して辛かった....
参考