K
Q

RBAC Issue with user in non-default namespace

8/10/2017

I just created a cluster with kubeadm last week, version 1.7.3 on CentOS7. I followed the steps at Bitnami to create certs and a config for a user in a new namespace and a new context for RBAC. The user can authenticate to the cluster fine with the config and his kubectl commands stay in the namespace. He tries to run a deployment and gets an Error forbidden from the server. His service creates but not the deployment, so I'm confused as to partial ability to create things.

Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: dev
  name: deployment-manager
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Rolebinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: dev
subjects:
- kind: User
  name: $ID
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiVersion: rbac.authorization.k8s.io/v1beta1


# kubectl get namespaces
NAME                 STATUS    AGE
default              Active    6d
kube-public          Active    6d
kube-system          Active    6d
dev                  Active    1d


kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO       NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin
          dev                           kubernetes     $ID          dev

kubeconfig of user

$ kubectl config view
  apiVersion: v1
  clusters:
  - cluster:
      certificate-authority-data: REDACTED
      server: https://$IP:6443
    name: kubernetes
  contexts:
  - context:
      cluster: kubernetes
      namespace: dev
      user: $ID 
    name: dev 
  current-context: dev
  kind: Config
  preferences: {}
  users:
  - name: $ID
    user:
      client-certificate-data: REDACTED
      client-key-data: REDACTED

user attempt

[$ID]$ kubectl create -f k8s.yml --record
service "aggregator-service" created
Error from server (Forbidden): error when creating "k8s.yml": User "$ID" cannot create deployments.apps in the namespace "dev". (post deployments.apps)

[$ID ~]$ kubectl get svc
NAME                 CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
aggregator-service   10.xxx.xxx.xxx   <pending>     8090:32524/TCP,8091:30329/TCP   24

k8s.yml

apiVersion: v1
kind: Service
metadata:
  name: aggregator-service
  labels:
    app: aggregator
    tier: agg
spec:
  type: LoadBalancer
  ports:
  - port: 8090
    targetPort: 8090
    name: http
  - port: 8091
    targetPort: 8091
    name: http-admin
  selector:
    app: aggregator
    tier: agg
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: aggregator-deployment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app:  aggregator
        tier: agg
    spec:
      containers:
      - name: aggregator-service
        image: $IMAGE
        ports:
        - containerPort: 8090

Any pointers in the right direction would be appreciated! Thanks.

-- James Lovato
kubectl
kubernetes
rbac

Similar Questions

How to create Kubernetes service with kubectl which exposes two ports
error when creating "install/kubernetes/istio-rbac-beta.yaml"
Google container engine, direct access to pods
(gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default"

0 Answers