Kubernetes rolebinding: <namespace>:default being changed to <namespace>:<namespace>-service-account

2/22/2019

I'm trying to run a deployment on a Kubernetes cluster at work through a GitLab CI/CD process (i.e. I don't control most of the configs). I'm also new to Kubernetes, so please forgive me if this is basic and obvious.

I have created my rolebindings:

kubectl create rolebinding [foo] --clusterrole=edit --serviceaccount=[bar]:default

And added my tokens and all settings to GitLab

When the deployment kicks off however, it will always fail at deployment with:

Error from server (Forbidden): error when creating "/builds/bar/baz/deployment.yml": service is forbidden: User "system:serviceaccount:bar:bar-service-account" cannot create services in namespace "bar"

I thought I should be working in system:serviceaccount:bar:default. why is :default being replaced with :bar-service-account and/or how do I fix this.

Many many thanks in advance

-- Justin
gitlab
kubernetes

1 Answer

2/23/2019

You are granting permissions to the default service account with the rolebinding you are creating. However, the deployment is not using that service account. If you look at the deployment manifest, it will have a serviceAccountName of bar-service-account.

Either change the deployment to use the default service account or change the rolebinding to grant permissions to the service account being used.

-- Jordan Liggitt
Source: StackOverflow