how to access namespaces in kubernetes using rest api?

5/22/2019

I am unable to get list of namespaces using rest api and rest end point is https://<localhost>:8001/api/v1/namespaces

Using this kubernetes document:

I am using postman. I will repeat the steps:

  1. Created a user and given cluster admin privileges:

kubectl create serviceaccount exampleuser

  1. Created a rolebinding for our user with cluster role cluster-admin:

kubectl create rolebinding <nameofrolebinding> --clusterrole cluster-admin --serviceaccount default:exampleuser

  1. Checked rolebinding using:

kubectl describe rolebinding <nameofrolebinding>

  1. Now by using:

kubectl describe serviceaccount exampleuser kubectl describe secret exampleuser-xxxx-xxxx

I will use token I got here to authenticate postman.

GET https://<ipofserver>:port/api/v1/namespace

AUTH using bearer token.

Expected result to list all namespaces in cluster. like kubectl get namespaces. But got a warning as follows.

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "namespaces is forbidden: User \"system:serviceaccount:default:exampleuser\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
    "reason": "Forbidden",
    "details": {
        "kind": "namespaces"
    },
    "code": 403
}

I have used "cluster-admin" clusterrole for the user, still getting authentication related error. please help.

-- naveen kumar
kubernetes
kubernetes-apiserver

2 Answers

5/22/2019

so issue is instead of using rolebinding , i need to use clusterrolebinding check below

kubectl create rolebinding nameofrolebinding --clusterrole cluster-admin --serviceaccount default:exampleuser

kubectl create clusterrolebinding nameofrolebinding --clusterrole cluster-admin --serviceaccount default:exampleuser

rolebinding scope is upto a namespace and clusterrolebinding scope is entire cluster.

To work with api/v1/namespaces we need to use clusterrolebinding

-- naveen kumar
Source: StackOverflow

5/22/2019

You should use clusterrolebinding instead of rolebinding:

kubectl create clusterrolebinding <nameofrolebinding> --clusterrole cluster-admin --serviceaccount default:exampleuser

RoleBinding means permissions to a namespaced resources, but namespace is not a namespaced resources, you can check this by kubectl api-resouces.

More detail at rolebinding-and-clusterrolebinding:

Permissions can be granted within a namespace with a RoleBinding, or cluster-wide with a ClusterRoleBinding

-- menya
Source: StackOverflow