K
Q

Kubernetes RBAC authentication for default user

11/13/2017

I am using kops in AWS to create my Kubernetes cluster.

I have created a cluster with RBAC enabled via --authorization=RBAC as described here.

I am trying to use the default service account token to interact with the cluster and getting this error:

Error from server (Forbidden): User "system:serviceaccount:default:default" cannot list pods in the namespace "default". (get pods)

Am I missing a role or binding somewhere?

-- timothyclifford
kops
kubectl
kubernetes
rbac

Similar Questions

Openshift: No nodes are available that match all of the following predicates:: Insufficient cpu (173), MatchNodeSelector (5)
Why Kubernetes pods sometimes got CrashLoopBackOff?
OpenShift REST API for scaling, invalid character 's' looking for beginning of value
Kubernetes/Azure ACS: Why can't I access external IPs of my Service?

2 Answers

11/13/2017

try to give admin role and try.

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin  --serviceaccount=default:default
-- sfgroups
Source: StackOverflow
10/16/2018

I thing it is not a good idea to give the cluster-admin role to default service account in default namespace.

If you will give cluster-admin access to default user in default namespace - every app (pod) that will be deployed in cluster, in default namespace - will be able to manipulate the cluster (delete system pods/deployments or make other bad stuff).

By default the clusterrole cluster-admin is given to default service account in kube-system namespace. You can use it for interacting with cluster.

-- Pastushenko Yuri
Source: StackOverflow