K
Q

Receiving error when calling Kubernetes API from the Pod

6/24/2019

I have .NET Standard (4.7.2) simple application that is containerized. It has a method to list all namespaces in a cluster. I used csharp kubernetes client to interact with the API. According to official documentation the default credential of API server are created in a pod and used to communicate with API server, but while calling kubernetes API from the pod, getting following error:

Operation returned an invalid status code 'Forbidden'

My deployment yaml is very minimal: apiVersion: v1 kind: Pod metadata: name: cmd-dotnetstdk8stest spec: nodeSelector: kubernetes.io/os: windows containers: - name: cmd-dotnetstdk8stest image: eddyuk/dotnetstdk8stest:1.0.8-cmd ports: - containerPort: 80

-- eddyuk
kubernetes

Similar Questions

Escaping helm yml for deployment
Which component in Kubernetes is responsible for resource limits?
Apply control group rule to specific (or all) Docker containers in Kubernetes cluster
How do I use an ingress behind a load balancer in GKE?

1 Answer

6/25/2019

I think you have RBAC activatet inside your Cluster. You need to assign a ServiceAccount to your pod which containing a Role, that allows this ServerAccount to get a list of all Namespaces. When no ServiceAccount is specified in the Pod-Template, the namespaces default ServiceAccount will be assigned to the pods running in this namespace.

First, you should create the Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: <YOUR NAMESPACE>
  name: namespace-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["namespaces"] # Resource is namespaces
  verbs: ["get", "list"] # Allowing this roll to get and list namespaces

Create a new ServiceAccount inside your Namespace

apiVersion: v1
kind: ServiceAccount
metadata:
  name: application-sa
  namespace: <YOUR-NAMESPACE>

Assign your Role created Role to the Service-Account:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-namespace-listing
  namespace: <YOUR-NAMESPACE>
subjects:
- kind: ServiceAccount
  name: application-sa # Your newly created Service-Account
  namespace: <YOUR-NAMESPACE>
roleRef:
  kind: Role
  name: namespace-reader # Your newly created Role
  apiGroup: rbac.authorization.k8s.io

Assign the new Role to your Pod by adding a ServiceAccount to your Pod Spec:

apiVersion: v1
kind: Pod
metadata:
  name: podname
  namespace: <YOUR-NAMESPACE>
spec:
  serviceAccountName: application-sa

You can read more about RBAC in the official docs. Maybe you want to use kubectl-Commands instead of YAML definitions.

-- Alex
Source: StackOverflow