K
Q

Service account failed to get pods although it has permissions "Error from server (Forbidden): ..."

7/2/2018

I created a service account and I want to give it permissions to list pods: kubectl get pods.

I have these settings for service account, role and rolebinding:

ServiceAccount.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myservice3

Role.yaml:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get"]

RoleBinding.yaml:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  name: my-role-binding
  namespace: default
subjects: 
- kind: ServiceAccount 
  name: myservice3
  namespace: default
  apiGroup: ""
roleRef: 
  kind: Role
  name: my-role
  apiGroup: ""

I created a user with the token of the service account:

SECRET_NAME=`kubectl get serviceaccounts myservice3 -o json | jq -r '.secrets[].name'`
TOKEN=`kubectl get secrets $SECRET_NAME -o json | jq -r '.data | .token' | base64 -d`
kubectl config set-credentials $USER_NAME --token=$TOKEN

Set a context to this user:

kubectl config set-context my-context \
--cluster=kubernetes \
--namespace=default \
--user=$USER_NAME

When tried to use its permissions:

$ kubectl get pods --context=my-context
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:myservice3" cannot list pods in the namespace "default"

I also tried with curl:

$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Jul 02 09:36:21 2018 GMT
*       expire date: Jul 02 09:36:21 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
* Connection #0 to host 127.0.0.1 left intact

Any idea what I am doing wrong? I gave the service account a get pods permissions and it is still being forbidden.

-- E235
kubernetes
token

Similar Questions

How to restart kubernetes master?
Is it possible to disable security on spring cloud stream starter apps?
Do we need External Endpoints for orchestration micro services
error: the server doesn't have resource type "svc"

1 Answer

7/2/2018

The Role.yaml needed to have also list:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get", "list"]

get is a permission to get an individual item and list is permission to get all itmes.
Now it works when run:

kubectl get pods --context=myservice3-context

OR

curl -k -v -H "Authorization: Bearer <JWT_token> " https://127.0.0.1:6443/api/v1/namespaces/default/pods
-- E235
Source: StackOverflow