K
Q

Kubernetes - User "system:serviceaccount:management:gitlab-admin" cannot get resource "serviceaccounts" in API >group "" in the namespace "services"

3/11/2021

I am getting this error -

Error: rendered manifests contain a resource that already exists. Unable to continue with >install: could not get information about the resource: serviceaccounts "simpleapi" is forbidden: >User "system:serviceaccount:management:gitlab-admin" cannot get resource "serviceaccounts" in API >group "" in the namespace "services"

apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: gitlab
    namespace: kube-system
  - kind: ServiceAccount
    name: gitlab
    namespace: services

I am using this for RBAC as cluster-admin. Why am I getting this . I also tried the below but still got the same issue . Can someone explain what is that I am doing wrong here - 

apiVersion: rbac.authorization.k8s.io/v1
kind: "ClusterRole"
metadata:
  name: gitlab-admin
  labels:
    app: gitlab-admin
rules:
  - apiGroups: ["*"] # also tested with ""
    resources:
      [
        "replicasets",
        "pods",
        "pods/exec",
        "secrets",
        "configmaps",
        "services",
        "deployments",
        "ingresses",
        "horizontalpodautoscalers",
        "serviceaccounts",
      ]
    verbs: ["get", "list", "watch", "create", "patch", "delete", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: "ClusterRoleBinding"
metadata:
  name: gitlab-admin-global
  labels:
    app: gitlab-admin
roleRef:
  apiGroup: "rbac.authorization.k8s.io"
  kind: "ClusterRole"
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: gitlab-admin
    namespace: management
  - kind: ServiceAccount
    name: gitlab-admin
    namespace: services
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: management
  labels:
    app: gitlab-admin
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: services
  labels:
    app: gitlab-admin
-- Joy
kubernetes
kubernetes-rbac

Similar Questions

TLS connection from API Gateway to Ingress
Delete namespace and also delete helm deployment?
Install kubernetes on debian stretch server without systemd
Ingress controller to route TCP traffic
Spinnaker setup on private Kubernetes cluster

1 Answer

3/25/2021

So here is what happened . I needed to run this as inside the namespace i.e I changed the config to run from the namespace management itself . 

kubectl config set-context --current --namespace=management

And then 

kubectl apply -f gitlab-admin.yaml
-- Joy
Source: StackOverflow