GKE: update install docs to mention need for cluster-admin RBAC role

[renaudguerin]

I've just tried installing v0.7.0 on a k8s 1.10.5 cluster on GKE, following the instructions :

$ kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/sealedsecret-crd.yaml

customresourcedefinition "sealedsecrets.bitnami.com" created
$ kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/controller.yaml
serviceaccount "sealed-secrets-controller" created
deployment "sealed-secrets-controller" created
service "sealed-secrets-controller" created
rolebinding "sealed-secrets-controller" created
clusterrolebinding "sealed-secrets-controller" created
Error from server (Forbidden): error when creating "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.7.0/controller.yaml": roles.rbac.authorization.k8s.io "sealed-secrets-key-admin" is forbidden: attempt to grant extra privileges [.......]
Error from server (Forbidden): error when creating "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.7.0/controller.yaml": clusterroles.rbac.authorization.k8s.io "secrets-unsealer" is forbidden: attempt to grant extra privileges  [.......]

There's nothing special about our RBAC configuration. Any ideas ?

Thanks

[arapulido]

@renaudguerin It may be that your Google user account is not a cluster admin and doesn't have rights to create roles.

Your cluster admin needs to explicitly allow you to create roles: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#prerequisites_for_using_role-based_access_control

[renaudguerin]

Thank you.
I'm not super familiar with RBAC yet, but I was definitely able to install several other RBAC-enabled packages in the past.
I'm the sole user on this cluster, still I've added the "cluster-admin-binding" clusterrolebinding for myself as advised in the documentation you linked, and it seems to have done the trick.
Until now I had one "cluster-admin" binding with only the "system:masters" group as the subject, but I would expect my user to have been part of that group (not sure how to check)

Thanks again

[anguslees]

One of the key design principles of k8s RBAC is that you can't increase your access through other RBAC actions. Your error means you were trying to grant RBAC access to something that your current user itself did not have permissions to access.

Those two roles involve reading/writing to Secrets in kube-system, which is quite an extreme privilege (but clearly necessary in sealed-secrets's case). So it's likely your existing RBAC policy allowed you to do all sorts of other things, but this particular operation was rejected.

Please reopen (or send a suggested PR) if you feel there's more we should add to the sealed-secrets documentation to help avoid similar issues for other users.

[renaudguerin]

@anguslees I came across the issue again on a different cluster, and it turns out this is a GKE specific problem, see for example this similar Prometheus issue : prometheus-operator/prometheus-operator#357

So, it's actually definitely a case of increasing your own access !
kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin --user [USER_ACCOUNT] fixes it, as suggested in the GKE doc that @arapulido linked above.

It may be worth adding this extra step for GKE users to the doc indeed.

[anguslees]

Thanks. Reopening so we can track adding a GKE note to the docs.