K
Q

Create a role to view cluster events

7/16/2020

I created a cluster role to view its events:

kubectl create clusterrole events-view -n my-namespace --verb get --resource events
kubectl create clusterrolebinding events-view -n my-namespace --group 'activedirectory_group://my-groups-canonical-name' --clusterrole events-view

But when I try to see events I get this:

> kubectl auth can-i get events -n my-namespace
yes
> kubectl get events -n my-namespace
Error from server (Forbidden): events is forbidden: User "u-wwrp76jtem" cannot list resource "events" in API group "" in the namespace "my-namespace"

This is the output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.8", GitCommit:"ec6eb119b81be488b030e849b9e64fda4caaf33c", GitTreeState:"clean", BuildDate:"2020-03-12T21:00:06Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
-- towel
kubernetes

Similar Questions

gcloud does not add access token for connecting to GKE cluster
API endpoints for kubernetes mutating webhook server
Kubespray Kubernetes Installation Fails - dockerd[8296]: unable to configure the Docker daemon with file /etc/docker/daemon.json
Set a Pod as owner reference for another pod in client go program
What is importance of labelling a k8s resource and then applying selector on label in spec on same k8s resource?

1 Answer

7/16/2020

Make sure the user u-wwrp76jtem is part of the group activedirectory_group://my-groups-canonical-name

You should try below command to verify the groups permission

kubectl auth can-i get events -n my-namespace --as-group=activedirectory_group://my-groups-canonical-name
-- Arghya Sadhu
Source: StackOverflow