Kubernetes permission issue

4/20/2019

I have a KUBE_CONFIG file that I'm using to access a Kubernetes cluster. I can only list pods. I can't list nodes or any other resource.

I have followed Forbidden: user cannot get path "/" (not anonymous user), but not successful.

I tried creating a role but I get the following error:

Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "user2" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

Some of other errors are:

When I, kubectl get nodes

Error from server (Forbidden): nodes is forbidden: User "user2" cannot list resource "nodes" in API group "" at the cluster scope

When I access Kubernetes dashboard on the browser, I get:

Forbidden: user cannot get path “/” 

My expectation is to be able to create cluster roles so that I can access resources.

-- learner
kubectl
kubernetes
rbac

2 Answers

4/24/2019

It has been already stated. But I feel like this requires explanation and some additional information on what is going on.

Usually the kube-config file is located in a hidden folder in home directory named ~/.kube you can also call it from any directory using:

kubectl --kubeconfig="kubeconfigname.yaml" get pods

In your case you certainly have no privileges to do that as your error directly states that (this one is about creating clusterroles):

Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "user2" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

User "user2" cannot create resource so cluster admin created a user2 but he did not provide the necessary (cluster)roles for you, the same reason is behind the creation of those rules. If you want to create roles, list nodes, edit objects you need to request that (cluster)roles from the administrator of the cluster. Here is a quick guide on how to do it, as you won't be able to do it by yourself you can share it with the admin in case if the mistake was due to lack of knowledge. Other useful links:

Create User With Limited Namespace Access

RoleBinding and ClusterRoleBinding

-- aurelius
Source: StackOverflow

4/20/2019

You might not have access to list the nodes in the cluster.

Check the roles and role binding associated with user2 from kube config.

Get cluster role created and add appropriate clusterrolebinding mapping user2 and the cluster role to be able list or create or update kubernetes objects

-- P Ekambaram
Source: StackOverflow