K
Q

Kubernetes permission setting for accessing resources such as Pod

10/21/2021

I created a ClusterRole that have two permissions for pods and a CustomResource certificaterequests. Then create a ClusterRoleBinding that combines ServiceAccount and ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: dlc-cert-manager-admin
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["cert-manager.io"]
  resources: ["certificaterequests"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dlc-cert-manager-rbac
  namespace: barry
subjects:
- kind: ServiceAccount
  name: barry-barry-service-account
  namespace: barry
roleRef:
  kind: ClusterRole
  name: dlc-cert-manager-admin
  apiGroup: rbac.authorization.k8s.io

Then I create a deployments for POD, that associates with ServiceAccount

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: dlc-management
  name: dlc-management
spec:
  serviceAccountName: barry-barry-service-account
  replicas: 1
  selector:
    matchLabels:
      app: dlc-management
  template:
    metadata:
      labels:
        app: dlc-management
    spec:
      containers:
      - name: dlc-management
        image: ${IMAGE_NAME}:${IMAGE_TAG}
        imagePullPolicy: Always
        ports:
          - containerPort: 8080

In the Pod/container, my app will access Kubernetes pods and CustomResource via KuberneteClient library.

After deploy all yaml files, my container is running. However, when my app access resources via KubenetesClient, it logs this error

"message":"error: Failure executing: GET at: https://172.30.0.1/api/v1/namespaces/barry/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User \"system:serviceaccount:barry:default\" cannot list resource \"pods\" in API group \"\" in the namespace \"barry\"."}

It complains access permission, I am not sure what wrong I did, actually I added a service account for accessing Pods in the my namespace barry. Why does it refer to "system:serviceaccount:barry:default", what is "default" here? Is is an User?

Any ideas for that? I appreciate it.

-- Joe
client-go
kubernetes
kubernetes-pod
openshift

Similar Questions

Spring rest template strange behavior in kubernetes
Unsupported value: "rbac.authorization.k8s.io"
How to restrict Kubernetes containers to view block devices list on host (K8s minion) os?
Istio on Kubernetes - Version compatibility mapping
Delay kubernetes pod creation for zero downtime

0 Answers