kubernetesgoogle-kubernetes-enginek8s-serviceaccountk8s-rolebinding

Can't deploy bitnami/rabbitmq Helm Chart on GKE, permission to create role is required


Introduction :

I am trying to deploy a RabbitMq Helm Chart to GKE, with my Gitlab CI/CD pipeline. The command I use to install my chart is:

helm upgrade --install rabbitmq --create-namespace --namespace kubi-app-main -f envs/main/rabbitmq/rabbitmq.yaml bitnami/rabbitmq

envs/rabbitmq/rabbitmq.yaml:

auth:
  username: user
  password: password
# The used vhost is default-vhost
extraConfiguration: |-
  default_vhost = default-vhost
  default_permissions.configure = .*
  default_permissions.read = .*
  default_permissions.write = .*

The Gitlab job first connect to GKE cluster with gcloud:

echo "$SERVICE_ACCOUNT_KEY" > key.json
gcloud auth activate-service-account --key-file=key.json
gcloud config set project project-kubi-app
gcloud container clusters get-credentials cluster-1 --zone europe-west9-a --project project-kubi-app

The Issue:

But the helm upgrade fails:

Error: roles.rbac.authorization.k8s.io is forbidden: User "kubiapp-cluster-sa@project-kubi-app.iam.gserviceaccount.com" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "kubi-app-main": requires one of ["container.roles.create"] permission(s).

gcloud projects get-iam-policy project-kubi-app --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:kubiapp-cluster-sa@project-kubi-app.iam.gserviceaccount.com"

This will return ROLE roles/editor, meaning that my service account has an editor role on the project.


From what I understand, the service account kubiapp-cluster-sa@project-kubi-app.iam.gserviceaccount.com has the editor role on the project project-kubi-app.
BUT the service account that I am using can't create a role in the namespace kubi-app-main.
I don't understand the use of this role, but it's origin is from the RabbitMq Helm Chart.

From the RabbitMq Helm Chart:

...
# Source: rabbitmq/templates/rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rabbitmq-endpoint-reader
  namespace: "kubi-app-main"
  labels:
    app.kubernetes.io/name: rabbitmq
    helm.sh/chart: rabbitmq-10.1.8
    app.kubernetes.io/instance: rabbitmq
    app.kubernetes.io/managed-by: Helm
subjects:
  - kind: ServiceAccount
    name: rabbitmq
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rabbitmq-endpoint-reader
...
---

EDIT:

I have changed my service account role to Owner and now it works, but I would like to know the role required to create other roles.


Solution

  • roles/editor allows you to create/update/delete resources for most/many services, but does not include the permission to perform any of those operations on roles in general. roles/owner, on the other hand, does as it essentially makes you an admin of (almost every) resource.

    For GKE, the usual role required to create/modify/update roles within the cluster is roles/container.clusterAdmin. Check out GKE roles.