Multicluster install fails to provision serviceaccounts, roles & rolebindings required to work

[x00e]

What is the issue?

Uppon following this official guide, linkerd fails to provision all resources need.

When running a multicluster check, i get the errors on both clusters about missing ServiceAccounts, Roles, RoleBindings and ClusterRoleBindings.

Whas able to reproduce this on 3 independed k3s clusters when trying to mesh them togheder using linkerd multicluster plugin

How can it be reproduced?

❯ linkerd --context=$cluster1  multicluster link-gen --cluster-name=$cluster1 --gateway=false | kubectl --context=$cluster2  apply -f -

secret/cluster-credentials-streaming-perftest01-pit01.xxx created
secret/cluster-credentials-streaming-perftest01-pit01.xxx created
link.multicluster.linkerd.io/streaming-perftest01-pit01.xxx created


❯ linkerd --context=$cluster2  multicluster link-gen --cluster-name=$cluster2 --gateway=false | kubectl --context=$cluster1  apply -f -

secret/cluster-credentials-streaming-perftest02-pit01.xxx created
secret/cluster-credentials-streaming-perftest02-pit01.xxx created
link.multicluster.linkerd.io/streaming-perftest02-pit01.xxx created

Logs, error output, etc

❯ linkerd --context=$cluster1 multicluster check
linkerd-multicluster
--------------------
√ Link CRD exists
√ Link resources are valid
	* streaming-perftest02-pit01.xxx
√ Link and CLI versions match
	* streaming-perftest02-pit01.xxx
√ remote cluster access credentials are valid
	* streaming-perftest02-pit01.xxx
√ clusters share trust anchors
	* streaming-perftest02-pit01.xxx
× service mirror controller has required permissions
    missing ServiceAccounts: linkerd-service-mirror-streaming-perftest02-pit01.xxx
missing ServiceAccounts: controller-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-service-mirror-access-local-resources-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-multicluster-controller-access-local-resources-streaming-perftest02-pit01.xxx
missing Roles: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing Roles: controller-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: controller-read-remote-creds-streaming-perftest02-pit01.xxx
    see https://linkerd.io/2/checks/#l5d-multicluster-source-rbac-correct for hints
× service mirror controllers are running
            * no service mirror controller deployment for Link streaming-perftest02-pit01.xxx
    see https://linkerd.io/2/checks/#l5d-multicluster-service-mirror-running for hints
√ multicluster extension proxies are healthy
√ multicluster extension proxies are up-to-date
√ multicluster extension proxies and cli versions match

Status check results are ×

output of linkerd check -o short

❯ linkerd  check -o short 

× service mirror controller has required permissions
    missing ServiceAccounts: linkerd-service-mirror-streaming-perftest02-pit01.xxx
missing ServiceAccounts: controller-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-service-mirror-access-local-resources-streaming-perftest02-pit01.xxx
missing ClusterRoleBindings: linkerd-multicluster-controller-access-local-resources-streaming-perftest02-pit01.xxx
missing Roles: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing Roles: controller-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: linkerd-service-mirror-read-remote-creds-streaming-perftest02-pit01.xxx
missing RoleBindings: controller-read-remote-creds-streaming-perftest02-pit01.xxx
    see https://linkerd.io/2/checks/#l5d-multicluster-source-rbac-correct for hints
× service mirror controllers are running
            * no service mirror controller deployment for Link streaming-perftest02-pit01.xxx
    see https://linkerd.io/2/checks/#l5d-multicluster-service-mirror-running for hints

Status check results are ×

Environment

❯ linkerd version
Client version: edge-25.10.6
Server version: edge-25.10.6

and the two nodes are on k3s:

k3s version v1.32.5+k3s1 (8e8f2a47)
go version go1.23.8

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.5 LTS"
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

None

[alpeb]

It seems the RBAC for multicluster is missing from your clusters. In the doc you point at, in step 2 make sure you're configuring the controllers value when you install linkerd-multicluster in each cluster. This other doc shows a more detailed view of how that controllers value entry looks like.