K
Q

How can I provision a volume (part II)?

11/23/2020

I am trying to configure RBAC so that I can provision a volume. This is a follow-up of this (https://stackoverflow.com/questions/64759440/how-can-i-properly-provision-a-volume-for-argo) thread. Adding a role changed the error from "cannot get resource" to "cannot create resource".

I now think it is a Kubernetes issue, but still do not understand how to solve it.

error:

Error from server (Forbidden): error when creating "/tmp/manifest.yaml": persistentvolumeclaims is forbidden: User "system:serviceaccount:argo:argo" cannot create resource "persistentvolumeclaims" in API group "" in the namespace "argo"

role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workflow
  namespace: argo
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
   - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
-- user3877654
kubernetes
persistent-volume-claims
volume

Similar Questions

how to enable kubelet logging verbosity
kubectl replace -f creates pod indefinitely in Pending state
Logically seperate azure kubernetes deployments
OKD 3.11 Installation failed "Control plane pods didn't come up" "network plugin is not ready: cni config uninitialized"
how to add persistent volume for Maven in Gitlab with Kubernetes runner

1 Answer

11/24/2020

RBAC auth rules are configured with K8s resources which can be placed in two groups:

  • Roles and ClusterRole which specify which verbs/actions can be performed on which resources.
  • RoleBindings and ClusterRoleBindings which bind the above roles to specific users, groups or ServiceAccounts.

In your case you successfully created Roles but what you are missing is the RoleBindings so in short words who can perform the actions that you already specified.

Role binding can be created using yaml files: 

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: workflow-argo
  namespace: argo
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # with "roleRef" you specify the binding to a Role / ClusterRole
  kind: Role 
  name: workflow # here you have to reference the name of your Role
  apiGroup: rbac.authorization.k8s.io

or with a command: 

kubectl create rolebinding workflow-argo --clusterrole=workflow --user=jane --namespace=argo

For more check K8s section: Using RBAC Authorization

-- acid_fuji
Source: StackOverflow