特定 linux 用户无法部署到 GKE

Question

We have a Jenkins virtual machine on GCE which deals with deployments, including the ones we do to GKE. We've tried to deploy a project which we have not touched for some time. The deployment failed when calling

kubectl set image deployment my-deployment my-deployment=gcr.io/my-project/my-project:version-tag

getting this error:

Error from server (Forbidden): deployments.extensions "my-deployment" is forbidden: User "client" cannot get resource "deployments" in API group "extensions" in the namespace "default"

The weird thing is, if I log in to the machine, use my Linux user + my gcloud user, I can deploy fine. But when switching to the jenkins user using su - jenkins and then authorizing gcloud with my user I get this same error that our deploy account gets.

Please advise how to fix.

Answer 1

It seems related to cluster RBAC configurations. Did you enable the RBAC fo Google Groups ? In this case you should follow the instructions in the documentation above or disable it.

Otherwise, ss Raman Sailopal stated, you can try this:

• with your regular user run kubectl config get-contexts to retrieve your current context
• copy from /home/Linux user/.kube/config to /home/jenkins/.kube/config
• change user to jenkins and be sure you're using the same context by running kubectl config get-contexts and kubectl config set-context ...
• try your rights with:

  # Check to see if I can create deployments in any namespace
  kubectl auth can-i create deployments

  # Check to see if I can list deployments in my current namespace
  kubectl auth can-i list deployments.extensions