Mac here, in case it makes a difference. I am on 2 separate GCP/gcloud/GKE/Kubernetes projects and have two different gmails for each of them:

• Project 1: flim-flam, where my email is [email protected] (pretend its a gmail)
• Project 2: foo-bar, where my email is [email protected]

I log into my [email protected] account via gcloud auth login and confirm I am logged in as that account. For instance, I go to the GCP console and verify (in the UI) that I am in fact logged in as [email protected]. Furthermore, when I run gcloud config configurations list I get:

NAME       IS_ACTIVE  ACCOUNT                    PROJECT        COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
flim-flam  True       [email protected]  flim-flam
foo-bar    False      [email protected]  foo-bar

From my flim-flam project, when I run kubectl delete ns flimflam-app I get permission errors:

Error from server (Forbidden): namespace "flimflam-app" is forbidden: User "[email protected]" cannot delete resource "namespaces" in API group "" in the namespace "flimflam-app": requires one of ["container.namespaces.delete"] permission(s).

So gcloud thinks I'm logged in as myuser1 but kubectl thinks I'm logged in as myuser2. How do I fix this?

CodePudding user response：

gcloud and kubectl share user identities but their configuration is in different files.

Using gcloud auth login does not update (!) existing (!) kubectl configurations. The former (on Linux) are stored in ${HOME}/.config/gcloud and the latter in ${HOME}/.kube/config.

I don't have a copy on hand but, if you check ${HOME}/.kube/config, it likely references the other Google account. You can either duplicate the users entry and reference it from the context. Or you could edit the existing users entry.

Actually, better yet use gcloud container clusters get-credentials to update kubectl's configuration with the currently-active gcloud user. This command updates ${HOME}/.kube/config for you.