K
Q

GCP group level access in Kubernetes namespace not working

4/14/2020

Group email id contains users who are synced to GCP from Azure AD. Through IaC I am trying to apply for group-level admin access to Kubernetes namespace.

We are using group email id with users to maintain IAM for namespaces. I want to give admin access to a namespace for a group email-id (distribution list with users associated with the email) in k8s. Below is the code. Issue: users within this group mail id do not get admin access to the namespace. Could anyone help me to identify the issue?

Error: Error from server (Forbidden): deployments.apps is forbidden: User "devops@rock.com" cannot create resource "deployments" in API group "apps" in the namespace "rock-mesh": Required "container.deployments.create" permission.

---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: rock-mesh
    istio-injection: enabled
  name: rock-mesh
spec:
  finalizers:
    - kubernetes
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
  namespace: rock-mesh
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubectl-admin
  namespace: rock-mesh
roleRef:
  kind: Role
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: Group
    name: rockrockconnectivitylist@rock.com
---
-- Mek.Dingi
google-cloud-platform
kubernetes
namespaces

Similar Questions

Add logrotate config file to aks node
Spark on kubernetes with zeppelin
Password protected Elasticsearch on Kubernetes cause "failed to join {elasticsearch-master-x}" error
use kubernetes secret in another one

0 Answers