Solved: Re: Anthos cluster cannot create kubernetes resour...

ivan-aracki · 05-18-2022 03:57 AM

I have a GCP Project and Anthos Cluster deployed within it.

If I am an admin of an Anthos cluster but not an Owner of the parent project, I have only read rights on Kubernetes and cannot create any resources. Getting:

Error from server (Forbidden)

I've given myself "Kubernetes Engine Admin", "Kubernetes Engine Cluster Admin", "Anthos Multi-cloud Admin" roles, but no success. It seems like "Owner" role is mandatory.

Is this by Anthos design or I am missing something?

ivan-aracki

We solved this after many troubles by adding our GCP users these roles:

- roles/gkehub.viewer

- roles/gkehub.gatewayEditor

Now, they can create Kubernetes resources even if they are not Owners of the GCP project.

View solution in original post

grobledo

For Anthos Config Management, you need these RBAC and permissions. If you are unfamiliar with RBAC; here is Google's official documentation.

For Anthos Service Mesh, this is the list of Permissions required to install it.

ivan-aracki

Does it mean it's mandatory to enable and use "Anthos Config Management" in order this to work...?

I forgot to mention but my user email is part of ClusterRoleBinding/gke-multicloud-cluster-admin, which means I should have "cluster-admin" rights.

grobledo

No, I just put the information about both, if you are using Anthos Service Mesh refer to the Permissions required to install. You can see there all the roles you need to have.

ivan-aracki

Thanks for the information 🙂

I would still leave the question open, as the issue is not specific to Anthos Config Management nor Service Mesh.

ivan-aracki

We solved this after many troubles by adding our GCP users these roles:

- roles/gkehub.viewer

- roles/gkehub.gatewayEditor

Now, they can create Kubernetes resources even if they are not Owners of the GCP project.

Anthos cluster cannot create kubernetes resources unless I'm am a GCP Project Owner?