K
Q

Kubernetes cluster role with permissions to watch events

3/9/2020

I'm trying to create a cluster role with permissions to watch events, but it seems that I'm missing something.

I'm using the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: watch-events
  namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: watch-events-cluster
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: watch-events-cluster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: watch-events-cluster
subjects:
- kind: ServiceAccount
  name: watch-events
  namespace: test

No mater what I try with kubectl auth can-i watch events --as watch-events I always get a no.

Am I missing something?

-- Juliano Costa
kubernetes
rbac

Similar Questions

Populating a config file when a pod starts
How to run Kubernates on top of ssh enabled docker nodes?
Deploying Harbor in Kubernetes
Add an already running server to kubernetes

2 Answers

3/10/2020

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions

Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).

-- BMW
Source: StackOverflow
3/10/2020

The RBAC is correct and will give cluster wide permission to watch events across all namespaces but the kubectl command is incorrect.The command should be

kubectl auth can-i watch events --as=system:serviceaccount:test:watch-events
-- Arghya Sadhu
Source: StackOverflow