I set up a service account and a cluster role binding to give view access to a pod for all namespaces:
apiVersion: v1
kind: ServiceAccount
metadata:
name: mine-user
namespace: mine
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mine-rolebinding
subjects:
- kind: User
name: mine-user
namespace: mine
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.ioI try to list deployments using curl:
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/apps/v1/namespaces/mine/deploymentsBut I get an error:
"deployments.apps is forbidden: User \"system:serviceaccount:mine:mine-user\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"mine\""The Role Binding exists though:
kubectl -n mine describe clusterrolebinding/mine-rolebinding
Name: mine-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: view
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mineI also get the same error while using a custom cluster role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mine-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]$ kubectl -n mine describe clusterrolebinding/mine-rolebinding2
Name: mine-rolebinding2
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: mine-role
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mine
$ kubectl -n mine describe clusterrole/mine-role
Name: mine-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments.apps [] [] [get list watch]you need also to define a role. if you want to have a read right on deployments, you should first check on which apigroup "deployments" belong to:
kubectl api-resources deployments deploy apps true Deployment
-->belong to "apps" group
so role should look something like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mine
name: mine-rolebinding
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch", "list"]you can check the rights you have with the auth command:
kubectl auth can-i watch deployments --namespace mine --as mine-user
yesmore infos :
https://kubernetes.io/docs/reference/access-authn-authz/authorization/ https://kubernetes.io/docs/reference/access-authn-authz/rbac/
I see you created ServiceAccount and you are trying to create ClusterRoleBinding with subjects.kind: User and passing name of this ServiceAccount. It is not going to work.
Please change subjects.kind to ServiceAccount and remove subjects.apiGroup in your ClusterRoleBinding.
or just apply this:
apiVersion: v1
kind: ServiceAccount
metadata:
name: mine-user
namespace: mine
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mine-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mine-rolebinding
subjects:
- kind: ServiceAccount
name: mine-user
namespace: mine
roleRef:
kind: ClusterRole
name: mine-role
apiGroup: rbac.authorization.k8s.ioYou can read more in kubernetes docs on how to refer to subjects in RoleBinding or ClusterRoleBinding.
Let me know if it works for you.