I have a k8s cluster in minikube, configured a service account admin-user with the cluster-admin role, and am configuring the ServiceAccount below to use in my own application. Everything is applied in the same namespace and my spec is using the me serviceAccountName.
apiVersion: v1
kind: ServiceAccount
metadata:
name: me
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myRole
rules:
- apiGroups: [""]
resources: ["serviceaccounts, secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myRoleBinding
subjects:
- kind: ServiceAccount
name: me
namespace: namespace
roleRef:
kind: Role
name: myRole
apiGroup: rbac.authorization.k8s.ioMy application uses the rest.InClusterConfig.
When executing client.CoreV1().ServiceAccounts("namespace").Get(ctx, "admin-user", meta.GetOptions{}) I get this error:
serviceaccounts "admin-user" is forbidden: User "system:serviceaccount:namespace:me" cannot get resource "serviceaccounts" in API group "" in the namespace "namespace"
When I bind the me ServiceAccount to the default view ClusterRole instead of myRole, my client call then works. From what I can tell, I am granting the same privileges necessary for serviceaccounts in myRole compared to view.
It seems I am not granting the correct privileges but I can't figure out what is necessary.
Typo in resources: ["serviceaccounts, secrets"].
Should be resources: ["serviceaccounts", "secrets"].