K
Q

Kubernetes rbac pod/exec create operation is forbidden

12/25/2020

I am working on the operator and using operator-sdk for operator development. I am doing pod exec for some business logic but it kept on failing with the following error:

Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}

Following is the definition role:

Name:         manager-role
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
  Resources                                  Non-Resource URLs  Resource Names  Verbs
  ---------                                  -----------------  --------------  -----
  statefulsets.''/finalizers                 []                 []              [create delete get list patch update watch]
  configmaps                                 []                 []              [create delete get list patch update watch]
  persistentvolumeclaims                     []                 []              [create delete get list patch update watch]
  secrets                                    []                 []              [create delete get list patch update watch]
  services                                   []                 []              [create delete get list patch update watch]
  statefulsets.apps                          []                 []              [create delete get list patch update watch]
  teststapps.example.com                     []                 []              [create delete get list patch update watch]
  teststapps.example.com/finalizers          []                 []              [create delete get patch update]
  pods/exec                                  []                 []              [create get]
  pods/log                                   []                 []              [get list watch]
  pods                                       []                 []              [get list watch]
  teststapps.example.com/status              []                 []              [get patch update]

Role Binding Definition

kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name:         manager-rolebinding
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
  Kind:  ClusterRole
  Name:  manager-role
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  default  system

Please advise what wrong I am doing.

-- drifter
kubernetes
operator-sdk

Similar Questions

Ne4J performance on Kubernetes is too slow
Does kubernetes cAdvisor include host machine (OS) metrics too when used with prometheus?
Multidrive access for Kubernetes Nodes
Connection to MySQL (AWS RDS) in Istio
wait for other deployments to start running before other can be created?

1 Answer

12/26/2020

As per the RoleBinding you have associated the ClusterRole manager-role to a ServiceAccount default in the system namespace but from the error the ServiceAccount is default in test-db namespace.

If you change the namespace system to test-db in the RoleBinding it should work. Also make sure to create the RoleBinding in test-db namespace instead of system namespace.

-- Arghya Sadhu
Source: StackOverflow