K
Q

Unable to read resources via K8s API

10/13/2020

UDPDATED
I am trying to get resources via curl inside a pod deployed on K8s.
While I am able to fetch the list of pods via curl request, I can't on configmaps and nodes.

Here the Role Binding I am using (working for pods)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", “configmaps”]
  verbs: ["get","list"]


 apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: test-cro
    rules:
    - apiGroups: [""] # "" indicates the core API group
      resources: ["nodes”]
      verbs: ["get","list"]

and when I try to fetch the list of nodes:

    curl -sSk -H "Authorization: Bearer $KUBE_TOKEN"       https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes
        {
          "kind": "Status",
          "apiVersion": "v1",
          "metadata": {
            
          },
          "status": "Failure",
          "message": "nodes is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"nodes\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "nodes"
  },

the same for configmaps:

curl -sSk -H "Authorization: Bearer $KUBE_TOKEN"       https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/configmaps
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {
        
      },
      "status": "Failure",
      "message": "configmaps is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"default\"",
      "reason": "Forbidden",
      "details": {
        "kind": "configmaps"
      },
      "code": 403

instead on pods it is working.
What could be the issue? A Wrong configuration on RoleBinding?

-- user1971444
curl
kubernetes
rbac

Similar Questions

Different deployment configurations using Helm
{ambassador ingress} Not able to use canary and add_request_headers in the same Mapping
EKS AWS: Can't connect Worker Node
kubernetes commands working on Terminal but no iTerm2
How to integrate Kubernetes Service Type "LoadBalancer" with Specific Cloud Load Balancers

1 Answer

10/14/2020

To give the test-ro Role access to list ConfigMaps, the resource name must be specified in its plural form. This is likely why listing Pods works, but listing ConfigMaps does not. So the Role should be specified like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "configmaps"]
  verbs: ["get","list"]

Listing Nodes requires some different configuration due to Nodes being a cluster-level resource rather than a namespaced resource. Due to this, the nodes permissions must be given in a ClusterRole.

Additionally, the API url to list nodes does not have the namespace. The correct url would be https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes.

An example of a working ClusterRole could be this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["nodes"]
  verbs: ["get","list"]
-- Lauri Koskela
Source: StackOverflow