Apply kubernetes configuration from kube-system namespace


I have kubernetes cluster which I created with kops on AWS. I'm trying to use kube-applier to apply yaml configuration to my cluster: I created a deployment with kube-applier:

apiVersion: "extensions/v1beta1"
kind: "Deployment"
  name: "kube-applier"
  namespace: "kube-system"
  # spec

and started it in kube-system namespaces as suggested in a README: kubectl --namespace=kube-system apply -f deployment.yaml.

But then kube-applier fails with this error when received new file to apply:

$ kubectl apply -f /git/deployment.yaml
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc43034ca91 0xc43034ca91 kube-system kube-applier /git/applier-deployment.yaml 0xc421432531  false}
from server for: "/git/deployment.yaml": deployments.extensions "kube-applier" is forbidden: User "system:serviceaccount:kube-system:default" cannot get deployments.extensions in the namespace "kube-system"

How can I grant permissions to kube-applier pod to apply configurations in other namespaces?

Kubernetes version: Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:13:31Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

-- Kirill

1 Answer


How can I grant permissions to kube-applier pod to apply configurations in other namespaces?

Create, or find, a ClusterRole with the correct resource permissions, then bind the ServiceAccount to it using a ClusterRoleBinding like so

kind: ClusterRoleBinding
    # C.R.B. don't have a "namespace:"
    name: my-kube-applier
  kind: ClusterRole
  name: cluster-admin
- kind: ServiceAccount
  name: default
  namespace: kube-system

BUT, as @jhernandez said, you will really want to create a dedicated ServiceAccount for kube-applier instead of granting what I presume is a very, very privileged ClusterRole to the default S.A. (which is what I did in the example above, but you should not do for real)

Creating a new ServiceAccount is super cheap: kubectl -n kube-system create sa kube-applier and then replace name: default with name: kube-applier in the subjects: block above.

Ideally one would create a customized least-privilege ClusterRole rather than using a massive hammer like cluster-admin, but generating the correct one would take some serious typing, so I'll leave that to your discretion.

-- mdaniel
Source: StackOverflow