Hi,
I’m deploying my project on openshift using groovy Jenkins. For the openshift cluster 3.9 I were able to deploy successfully but then my client decided to move to openshift cluster 3.11, I were given the new configure with cluster name and token by the CI team, of course I don’t have full permission on the cluster. So when I changed to the new URL, cluster name and token, I always get the error message as “Rolebindings.rbac.authorization.k8s.io is forbidden: User system:serviceaccount:abc:jenkins can not list in rolebinding.rbac.authorization.k8s.io in namespace ‘projectname’: no RABC match”. I have checked using oc command line to check who can deploy and the system:serviceaccount:abc:jenkins is not list under my project namespace. I have requested to the CI person and they said it’s not the permission issue it relates to the cluster configure.
You are trying to use a service account to give itself a rolebinding but the service account does not have permission to do so.
Check permission of the service account:
kubectl auth can-i list rolebindings -n projectname --as=system:serviceaccount:abc:jenkins
noA cluster admin need to run below commands to give the service account permission:
$ oc policy add-role-to-user edit system:serviceaccount:abc:jenkins \
-n projectname
$ oc policy add-role-to-user system:image-puller system:serviceaccounts:abc:jenkins \
-n projectname