Velero installation failing from a VM host in GCP
I am trying to install velero
on a GKE Cluster
from a GCP Compute Engine Host
using below steps
https://github.com/vmware-tanzu/velero-plugin-for-gcp
I am installing velero
from the VM
host using below command
velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero
but it is failing with below error
Error installing Velero. Use `kubectl logs deploy/velero -n velero` to check the deploy logs:
Error creating resource ClusterRoleBinding/velero: clusterrolebindings.rbac.authorization.k8s.io is forbidden:
User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s)
To resolve this error , I am trying with this
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user velero
but this too failing with below error
error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s).
Two queries for the above scenario
-
Is it correct to create
clusterrolebinding
resource to resolve the error I am seeing while installingvelero
? -
How to identify the corresponding user for "116865650821658545991" as seen in second error and what role needs to be assigned to create
clusterrolebinding
resource ?
Solution 1:
This is resolved now.
I identified the service account used by VM
using
$ gcloud config list
[core]
account = [email protected]
After that we assigned the role "Kubernetes Engine Admin" to the above Service account
and installed velero
using below command successfully
VELERO_BUCKET=gkevelerobackup
velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero