Spring Cloud Kubernetes: What are cluster-reader permissions?

2/12/2019

According to Spring Cloud Kubernetes docs, in order to discover services/pods in RBAC enabled Kubernetes distros:

you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API. For any service accounts you assign to a deployment/pod, you need to make sure it has the correct roles. For example, you can add cluster-reader permissions to your default service account depending on the project you’re in.

What are cluster-reader permissions in order to discover services/pods?

Error I receiving is:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://x.x.x.x/api/v1/namespaces/jx-staging/services. 
Message: Forbidden!Configured service account doesn't have access. 
Service account may have been revoked. services is forbidden: 
User "system:serviceaccount:jx-staging:default" cannot list services in the namespace "jx-staging"
-- Michal Foksa
kubernetes
spring-cloud
spring-cloud-kubernetes

2 Answers

2/13/2019

Read endpoints and services seems to be a bare minimum for Spring Cloud Kubernetes to discover pods and services.

Example adds permissions to default service account in default namespace.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-read-role
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  - services
  - configmaps
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-read-rolebinding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-read-role
  apiGroup: rbac.authorization.k8s.io
-- Michal Foksa
Source: StackOverflow

2/12/2019

Kubernetes generally categorizes roles into two types:

  • Role: This are specific to the namespace to which they are granted
  • ClusterRole: Applies to the whole cluster, meaning that it applies to all namespaces

So what the Spring Cloud Kubernetes docs mean there is that in order to be able to read properly discover services/pods across all namespaces, the ServiceAccount which will be associated with the application should have a ClusterRole that allows it to read Pods, Services etc.

This part of the Kubernetes docs (which also contains great examples) is a must-read for a general understanding of Kubernetes RBAC.

-- geoand
Source: StackOverflow