K
Q

Kubernetes RBAC: permissions mismatching

5/26/2020

I'm facing with next issue. I'm requesting to kubernetes whether I'm able to make some operation:

$ kubectl auth can-i list secrets --namespace iotdevadm
no - no RBAC policy matched

Above, I'm asking for listing secrets. According to response, I'm not able to do that.

However:

$ kubectl get secrets
NAME                              TYPE                                  DATA   AGE
builder-dockercfg-9m9rf           kubernetes.io/dockercfg               1      23h
builder-token-6xxdn               kubernetes.io/service-account-token   4      23h
builder-token-qc7q7               kubernetes.io/service-account-token   4      23h
default-dockercfg-qs7sj           kubernetes.io/dockercfg               1      23h
default-token-n4lpw               kubernetes.io/service-account-token   4      23h
default-token-n7rhh               kubernetes.io/service-account-token   4      23h
deployer-dockercfg-nhnps          kubernetes.io/dockercfg               1      23h
deployer-token-5rkb6              kubernetes.io/service-account-token   4      23h
deployer-token-v85wp              kubernetes.io/service-account-token   4      23h
istio.builder                     istio.io/key-and-cert                 3      23h
istio.default                     istio.io/key-and-cert                 3      23h
istio.deployer                    istio.io/key-and-cert                 3      23h
istio.kafka                       istio.io/key-and-cert                 3      16h
istio.zeppelin                    istio.io/key-and-cert                 3      18h
kafka-dockercfg-whltw             kubernetes.io/dockercfg               1      16h
kafka-token-crrxt                 kubernetes.io/service-account-token   4      16h
kafka-token-j5dgd                 kubernetes.io/service-account-token   4      16h
sh.helm.release.v1.kafka.v1       helm.sh/release.v1                    1      16h
sh.helm.release.v1.spark.v1       helm.sh/release.v1                    1      16h
sh.helm.release.v1.zeppelin.v1    helm.sh/release.v1                    1      18h
sh.helm.release.v1.zookeeper.v1   helm.sh/release.v1                    1      16h
spark-secret                      Opaque                                0      16h
zeppelin-dockercfg-7zdkm          kubernetes.io/dockercfg               1      18h
zeppelin-token-85jtc              kubernetes.io/service-account-token   4      18h
zeppelin-token-x4r5c              kubernetes.io/service-account-token   4      18h
-- Jordi
kubernetes

Similar Questions

elasticsearch connector doesn't work - java.lang.NoClassDefFoundError: com/google/common/collect/ImmutableSet
Strange response time when calling Elasticsearch from same cluster on Kubernetes
Kubernetes liveness probe
Liveness/Readiness Probes Failing when using Talisman for Flask/Python

2 Answers

5/26/2020

The commands that you are running are different- one has get and the other one has list.

kubectl get secrets

Above command will get secrets in the namespace configured in kubeconfig. I assume the namespace is iotdevadm in kubeconfig. If this is not the case then run below command.

kubectl get secrets -n iotdevadm

The equivalent command to check permission should be as below.

kubectl auth can-i get secrets --namespace iotdevadm

This command will check permission to get secrets for the user configured in kubeconfig in namespace iotdevadm.

-- Arghya Sadhu
Source: StackOverflow
5/26/2020

kubectl get secrets will list secrets from default namespace unless you have set a namespace context for the current cluster in your kubeconfig file.

kubectl get secrets -n iotdevadm to list secrets from iotdevadm namespace.

-- hdhruna
Source: StackOverflow