I created following objects in k8s cluster.
Please see below the yaml files for Role and RoleBinding resources.
$ cat developer.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer namespace: testpsp rules: - apiGroups: - "" resources: - pods verbs: - get - create - apiGroups: - extensions - apps resources: - deployments - replicasets verbs: - '*'
$ cat developer-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: developer-binding namespace: testpsp roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: developer subjects: - kind: ServiceAccount name: testuser
As you can see in above mentioned role manifest file, I have given CREATE permission on Pod resource to testuser Service account. But still I am getting the error.
Error
Error from server (Forbidden): error when creating "hello-pod.yaml": pods is forbidden: User "testuser" cannot create resource "pods" in API group "" in the namespace "testpsp"
Here is the Pod yaml file. Am i missing anything here?
$ cat hello-pod.yaml apiVersion: v1 kind: Pod metadata: name: hello-pod namespace: testpsp spec: serviceAccountName: testuser containers: - name: hello-kubernetes image: paulbouwer/hello-kubernetes:1.5 ports: - containerPort: 8080
Here is the command that I'm running to create the Pod.
$ kubectl --as=testuser -n testpsp create -f hello-pod.yaml
while troubleshooting this issue, I noticed that instead of directly mentioning the ServiceAccount name in "as" flag in kubectl command, we need to use the following format
system:serviceaccount:<namespace_name>:<serviceaccount_name>
In my case, it will look like this - system:serviceaccount:testpsp:testuser
Afterwards, it started working fine.