I'm attempting to grant a Kubernetes ServiceAccount the cluster-admin role using a ClusterRoleBinding:
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: jenkins
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins...and I'm getting this error:
The ClusterRoleBinding "jenkins" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"cluster-admin"}:
cannot change roleRef
I've verified that the ClusterRole does exist:
kubectl get clusterrole
NAME AGE
admin 1d
alb-ingress-controller 1d
aws-node 1d
cluster-admin 1dI've also attempted to attach other cluster roles to my service account and have been unable to do so.
I assume that this means you cannot attach cluster roles to service accounts and if that is the case then how do you grant cluster level permissions to a service account?
The error "cannot change roleRef" was referring to the fact that the ClusterRoleBinding I was trying to create already existed.
By running kubectl get clusterrolebinding I was able to see that the ClusterRoleBinding already existed.
After running kubectl delete clusterrolebinding/jenkins I was able to execute the YAML above successfully.