K
Q

Kubernetes Namespaces forbidden using api

10/31/2021

I created a service account user and got the token for the user. However, ever time I try to access the names spaces I get the following error:

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "namespaces is forbidden: User \"system:serviceaccount:default:svcacc\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
    "reason": "Forbidden",
    "details": {
        "kind": "namespaces"
    },
    "code": 403
}

This is my service account:

Name:         svcacc-token-87jd6
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: svcacc
              kubernetes.io/service-account.uid: 384aa590-dac4-472c-a9a7-116c5fb0562b

Type:  kubernetes.io/service-account-token

Do I need to give the service account roles or add it to a group? This is running in AWS EKS, not sure if that make a difference.

I am trying to use ServiceNow discovery to discover my Kubernetes cluster. Regardless if I am using ServiceNow or Postman, I get the same message.

EDIT: Ended up using YAML to configure the service account and roles.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: svcacc
  namespace: default
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: svcacc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: svcacc
  namespace: default

Once this was configured I updated the kubeconfig and ran to get token:

$(kubectl describe secrets "$(kubectl describe serviceaccount svcacc -n default| grep -i Tokens | awk '{print $2}')" -n default | grep token: | awk '{print $2}')
-- Brandon Wilson
kubernetes
servicenow

Similar Questions

how to check whether RBAC is enabled, using kubectl
Can I host minikube remotely for development in a team?
Kubernetes (gke) get name of pod network interface
Writing custom functions in Helm charts
POD specific folder in hostPath in Kubernetes manifests

1 Answer

12/15/2021

To clarify I am posting a Community Wiki answer.

You solved this problem using YAML file to configure the service account and roles.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: svcacc
  namespace: default
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: svcacc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: svcacc
  namespace: default

And after that you updated the kubeconfig and ran to get token:

$(kubectl describe secrets "$(kubectl describe serviceaccount svcacc -n default| grep -i Tokens | awk '{print $2}')" -n default | grep token: | awk '{print $2}')

Here is documentation about RBAC Authorization with many examples.

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.

-- kkopczak
Source: StackOverflow