GKE – User cannot create resource – requires one of [“container.roles.create”] permission(s)

This post was originally published on this site

The Issue

I stood up my first ever GKE cluster! Woo, go me!

However when I was trying to setup Tanzu Service Mesh, I hit issues such as:

Error from server (Forbidden): error when creating "operator-deployment.yaml": roles.rbac.authorization.k8s.io is forbidden: User "dean@veducate.co.uk" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "vmware-system-tsm": requires one of ["container.roles.create"] permission(s).
The Cause

This is because your initial Kubernetes login has no cluster level permissions, due to the RBAC setup.

The Fix

You need to create some new Cluster Level roles and bind to them with your account, or use the existing ones.

As this is a demo environment. I just bound my account to the out-of-the-box cluster-admin ClusterLevelRole (that is a mouthful!).

kubectl create clusterrolebinding cluster-admin-binding 
--user=[gcp user email]

# Example
kubectl create clusterrolebinding cluster-admin-binding 

If you need to double check with google account you are using, you can run:

gcloud info | grep Account



Dean Lewis

The post GKE – User cannot create resource – requires one of [“container.roles.create”] permission(s) appeared first on vEducate.co.uk.