K
Q

Authorize Jenkins to list pods in its own K8S namespace

9/15/2018

So I am deploying a Jenkins instance inside my K8S cluster using Helm.

Here is the flow that I am following :

1) Create Namespace called jenkins-pipeline.

kubectl get ns jenkins-pipeline -o yaml
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: 2018-09-15T16:58:33Z
  name: jenkins-pipeline
  resourceVersion: "25596"
  selfLink: /api/v1/namespaces/jenkins-pipeline
  uid: 9449b9e7-b908-11e8-a915-080027bfdbf9
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

2) Create ServiceAccount called jenkins-admin INSIDE namespace jenkins-pipeline.

kubectl get serviceaccounts -n jenkins-pipeline jenkins-admin -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-09-15T17:02:25Z
  name: jenkins-admin
  namespace: jenkins-pipeline
  resourceVersion: "25886"
  selfLink: /api/v1/namespaces/jenkins-pipeline/serviceaccounts/jenkins-admin
  uid: 1e921d43-b909-11e8-a915-080027bfdbf9
secrets:
- name: jenkins-admin-token-bhvdd

3) Create ClusterRoleBinding linking my ServiceAccount jenkins-admin to ClusterRole cluster-admin. (I know this is not best practise to assign my deployment that much privilege but Im just testing for now locally).

kubectl get clusterrolebindings.rbac.authorization.k8s.io jenkins-cluster-role-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2018-09-15T16:58:33Z
  name: jenkins-cluster-role-binding
  resourceVersion: "25597"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/jenkins-cluster-role-binding
  uid: 944a4c18-b908-11e8-a915-080027bfdbf9
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: jenkins-admin
  namespace: jenkins-pipeline

4) Deploy my pod in namespace jenkins-pipeline.

5) Expose deployment using service in namespace jenkins-pipeline.

Jenkins comes up perfectly fine but when I try to test my Kuberenetes connection, it fails stating :

Error testing connection https://192.168.99.100:8443: Failure executing: GET at: https://192.168.99.100:8443/api/v1/namespaces/jenkins-pipeline/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:jenkins-pipeline:default" cannot list pods in the namespace "jenkins-pipeline".

A snippet of the UI looks like :

enter image description here

Ive configured this to the best of my knowledge. I created the serviceaccount in the namespace and gave this serviceaccount SUPER privileges. And yet it cannot list pods in its own namespace. Any help will be appreciated.

I tried to change namespace in the Jenkins UI but I have a feeling it defaults to jenkins-pipeline even if I dont state it.

--
jenkins
jenkins-plugins
kubernetes

Similar Questions

Expose node js app with host as localhost on kubernetes
How to update k8s certificates safely and completely?
Ingress and Ingress controller how to use them with NodePort Services?
Wrong IP from GCP kubernetes load balancer to app engine's service
How to authenticate against AAD (Azure Active Directory) with oauth2_proxy and obtain Access Token

1 Answer

9/15/2018

Thanks to David Maze's indication, I got it figured out. I was missing a crucial piece which was to make my deployment use the newly created ServiceAccount.

Needed to add it to the deployment file under spec.template.spec :

  spec:
    containers:
    - env:
      - name: JAVA_OPTS
        value: -Djenkins.install.runSetupWizard=false
      image: jeunii/my-jenkins-base:1.0
      imagePullPolicy: IfNotPresent
    .
    .
    serviceAccount: jenkins-admin
    .
    .
--
Source: StackOverflow