K
Q

io.fabric8.kubernetes.client.KubernetesClientException: Forbidden!Configured service account doesn't have access

3/16/2021

Config config = new ConfigBuilder().withMasterUrl("https://c2.eu-de.containers.cloud.ibm.com:78945").build(); try (KubernetesClient client = new DefaultKubernetesClient(config)) {

        client.pods().inNamespace("default").list().getItems().forEach(
                pod -> System.out.println(pod.getMetadata().getName())
        );

    } catch (KubernetesClientException ex) {
        // Handle exception
        ex.printStackTrace();
    }

I am getting io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://c2.eu-de.containers.cloud.ibm.com:78945/api/v1/namespaces. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. namespaces is forbidden: User "system:serviceaccount:badefault" cannot list resource "namespaces" in API group "" at the cluster scope. this errror

-- ShanDar
fabric8
kubernetes
namespaces

Similar Questions

kube-apiserver on OpenShift
Access to kubernetes dashboard using gcloud
set env variables in server.xml inside kubernetes
How can I get the number of running pods for an app using Python Kubernetes Package
Setting up Kubernetes - API not reachable from Pods

2 Answers

3/16/2021

It means that the ServiceAccount you use badefault does not have access to the resource namespaces. Please check Using RBAC Authorization. You need to create the required Role and RoleBinding.

-- RafaƂ Leszko
Source: StackOverflow
3/17/2021

From your error looks like your ServiceAccount doesn't have the required access to perform that specific operation. You've posted code for listing Pod objects but your error is complaining about listing Namespace objects. 

User "system:serviceaccount:badefault" cannot list resource "namespaces" in API group "" at the cluster scope

You can provide Cluster Admin access to your ServiceAccount with this command:

kubectl create clusterrolebinding default-pod --clusterrole cluster-admin --serviceaccount=<namespace>:badefault

If you don't want to give it Cluster Admin access, you can define Custom ClusterRole to restrict which apiGroups and resources you want your ServiceAccount to access:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: badefault-cluster-role
rules:
- apiGroups:
  - "" 
  resources: 
  - pods
  - namespaces
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

You can then define a ClusterRoleBinding to bind this ClusterRole to your ServiceAccount object:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: badefault-cluster-role-binding
subjects:
  - kind: ServiceAccount
    name: badefault
    namespace: default
roleRef:
  kind: ClusterRole
  name: badefault-cluster-role
  apiGroup: rbac.authorization.k8s.io

With this your ServiceAccount should be able to access pods and namespace objects at Cluster Scope.

-- Rohan Kumar
Source: StackOverflow