Error when applying manifest

[aroekene]

When applying manifest it ends with this error:
Error from server (Forbidden): error when creating "manifests-all.yaml": clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes/proxy"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{NonResourceURLs:["/metrics"], Verbs:["get"]}] user=&{server.domain.com [system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

This is the outcome from applying before the error occurs:

namespace "monitoring" created
clusterrolebinding "prometheus" created
serviceaccount "prometheus-k8s" created
configmap "alertmanager-templates" created
configmap "alertmanager" created
deployment "alertmanager" created
service "alertmanager" created
deployment "grafana-core" created
configmap "grafana-import-dashboards" created
job "grafana-import-dashboards" created
secret "grafana" created
service "grafana" created
configmap "prometheus-core" created
deployment "prometheus-core" created
deployment "kube-state-metrics" created
serviceaccount "kube-state-metrics" created
service "kube-state-metrics" created
daemonset "node-directory-size-metrics" created
daemonset "prometheus-node-exporter" created
service "prometheus-node-exporter" created
configmap "prometheus-rules" created
service "prometheus" created

Kubernetes v1.9.6

kubectl get clusterrolebindings --all-namespaces
NAME         AGE
prometheus   7m

kubectl get serviceaccount --all-namespaces
NAMESPACE     NAME                 SECRETS   AGE
core          default              1         1d
default       default              1         1d
itsma1        default              1         1d
kube-public   default              1         1d
kube-system   default              1         1d
monitoring    default              1         7m
monitoring    kube-state-metrics   1         7m
monitoring    prometheus-k8s       1         7m

[pipo02mix]

Hey, it looks the permissions you have as user are not enough to apply the manifest as it is.

clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges

You would need something higher permissions as user, because promethus needs to scrape /metrics from nodes

[josephtyler]

I'm having the same issue, although I don't understand this: You would need something higher permissions as user. Would you mind elaborating?

[aroekene]

I believe this actually has to do with the kubernetes version we were running on. It seems like after upgrading the issue with deploying disappeared.
@josephtyler Which version are you running on?

We're currently on v1.13.2

[pipo02mix]

This message

clusterroles.rbac.authorization.k8s.io "prometheus" is forbidden: attempt to grant extra privileges:

means your current user (the one you are using to submit the manifest with kubectl) has fewer privileges than the Prometheus needs. For security reasons you can not give an app more privileges than the ones, you have as an user.