GCP K8s (kubectl) error message (Required “container.leases.get” permission)

0
votes

I am getting an error message after running some kubectl commands (GCP command line - gcloud). I have a K8S cluster created in GKE.

Example:

kubectl describe node

gke_k8s_cluster_name Error from server (Forbidden): leases.coordination.k8s.io "gke_k8s_cluster_name" is forbidden: User "MY_SERVICE_ACCOUNT" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "kube-node-lease": Required "container.leases.get" permission.

The point is that "container.leases.get" permission is not listed in IAM (as custom permissions or regular role).

How could I grant that permission to the service account in GCP ?

thanks, Jose

1
kubernetesgoogle-cloud-platformgoogle-kubernetes-enginekubectlgoogle-iam
Since leases are a recent feature, can you tell which GKE version are you using?Dawid Kruk
Hi, thanks for asking. It says 1.14.10-gke.27 (default) - Static version.José Enrique Hernández

1 Answers

2
votes

You may need to grant additional permissions to yourself on GCP IAM and GKE sides, for example:

PROJECT_ID=$(gcloud config get-value core/project)
USER_ID=$(gcloud config get-value core/account)
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${USER_ID} --role=roles/container.admin
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user ${USER_ID}

See also GCP IAM & GKE RBAC integration.