在 GCP GKE 上使用terraform部署 TiDB 集群失败

按照部署文档执行,k8s集群已经自动建好,执行module.tidb-operator.null_resource.setup-env出错:

module.tidb-operator.null_resource.setup-env: Provisioning with ‘local-exec’… module.tidb-operator.null_resource.setup-env (local-exec): Executing: [“bash” “-c” “set -euo pipefail if ! kubectl get clusterrolebinding cluster-admin-binding 2>/dev/null; then kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) fi if ! kubectl get serviceaccount -n kube-system tiller 2>/dev/null ; then kubectl create serviceaccount --namespace kube-system tiller fi kubectl apply -f https://raw.githubusercontent.com/pingcap/tidb-operator/v1.0.1/manifests/crd.yaml kubectl apply -f https://raw.githubusercontent.com/pingcap/tidb-operator/v1.0.1/manifests/tiller-rbac.yaml kubectl apply -k manifests/local-ssd kubectl apply -f manifests/gke/persistent-disk.yaml helm init --service-account tiller --upgrade --wait until helm ls; do echo “Wait until tiller is ready” sleep 5 done ”] module.tidb-operator.null_resource.setup-env (local-exec): Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User “106939507055928422500” cannot create resource “clusterrolebindings” in API group “rbac.authorization.k8s.io” at the cluster scope: Required “container.clusterRoleBindings.create” permission.

Error: Error running command 'set -euo pipefail

if ! kubectl get clusterrolebinding cluster-admin-binding 2>/dev/null; then kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value account) fi

if ! kubectl get serviceaccount -n kube-system tiller 2>/dev/null ; then kubectl create serviceaccount --namespace kube-system tiller fi

kubectl apply -f https://raw.githubusercontent.com/pingcap/tidb-operator/v1.0.1/manifests/crd.yaml kubectl apply -f https://raw.githubusercontent.com/pingcap/tidb-operator/v1.0.1/manifests/tiller-rbac.yaml kubectl apply -k manifests/local-ssd kubectl apply -f manifests/gke/persistent-disk.yaml

helm init --service-account tiller --upgrade --wait until helm ls; do echo “Wait until tiller is ready” sleep 5 done ': exit status 1. Output: Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User “106939507055928422500” cannot create resource “clusterrolebindings” in API group “rbac.authorization.k8s.io” at the cluster scope: Required “container.clusterRoleBindings.create” permission.

麻烦确认一下 ClusterRoleBinding 的 container.clusterRoleBindings.create 需要操作用户有权限,现在看是没有的。具体的我们再看一下,感谢反馈。 https://cloud.google.com/kubernetes-engine/docs/reference/api-permissions

报错显示,当前操作的用户权限不足, *建议另建一个服务账号给 Terraform 使用,参考创建与管理服务账号文档./create-service-account.sh 会创建最低权限的服务账号。

具体请参考文档来配置 terraform:https://pingcap.com/docs-cn/v3.0/tidb-in-kubernetes/deploy/gcp-gke/#配置-terraform

我所有过程都是按照部署文档执行。 问题确实是由于权限引起的。 我参考StackOverflow类似问题的方法,给IAM中的成员Compute Engine default service account添加“所有者”权限后,再执行kubectl create clusterrolebinding user-cluster-admin-binding --clusterrole=cluster-admin --user=user-compute@developer.gserviceaccount.com,就可以了。