Velero installation failing from a VM host in GCP

google-cloud-platform google-iam google-kubernetes-engine

I am trying to install velero on a GKE Cluster from a GCP Compute Engine Host using below steps

https://github.com/vmware-tanzu/velero-plugin-for-gcp

I am installing velero from the VM host using below command

 velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero

but it is failing with below error

Error installing Velero. Use `kubectl logs deploy/velero -n velero` to check the deploy logs:
Error creating resource ClusterRoleBinding/velero: clusterrolebindings.rbac.authorization.k8s.io is forbidden: 
User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s)

To resolve this error , I am trying with this

  kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user velero

but this too failing with below error

error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s).

Two queries for the above scenario

  1. Is it correct to create clusterrolebinding resource to resolve the error I am seeing while installing velero ?

  2. How to identify the corresponding user for "116865650821658545991" as seen in second error and what role needs to be assigned to create clusterrolebinding resource ?


Solution 1:

This is resolved now.

I identified the service account used by VM using

   $ gcloud config list
   [core]
   account = [email protected]

After that we assigned the role "Kubernetes Engine Admin" to the above Service account and installed velero using below command successfully

VELERO_BUCKET=gkevelerobackup
velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero

Related

Update Task Scheduler job password on multiple machines
How to send and use the V7R3 created program object in V7R2 version of iseries/AS400?
/usr/sbin/amavisd-new - why is pcmd/regex not working for this command in csf.pignore?
Handling badly folded long Return-Path header gracefully
Using if else statement inside shell module in ansible playbook
How do I process files on GCP through SFTP and Stateful Sets
How I can migrate my already built docker images with custom tags from dockerhub to amazon ECR?
User permission to create new File Descriptor
Forward an FTP/SFTP connection to another server (instead of tunneling from the client)
Rancher on K8s (not helm) permission issues
iptables denies unwanted access/port [duplicate]
How to add username or change password in vsftpd in Ubuntu 16.04?