Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

403 Forbidden error when trying to access Kubernetes API from a pod

Tags:

google-cloud-platform

kubernetes

kubernetes-apiserver

As per this Documentation, I am trying to access the Kuberenetes API from a pod, using the following command

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/default/deployments/ballerina-prime/scale

which follows the following template

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/{namespace}/deployments/{name}/scale

It throws the following error

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "deployments.extensions \"ballerina-prime\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments/scale\" in API group \"extensions\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "ballerina-prime",
    "group": "extensions",
    "kind": "deployments"
  },
  "code": 403
}

Can someone point out where I am making mistake or suggest any other way in which I can access the Kubernetes API?

Update 01

I created a Role as per the Documentation suggested. Following is the manifest I used.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployments-and-deployements-scale
rules:
- apiGroups: [""]
  resources: ["deployments", "deployments/scale"]
  verbs: ["get", "list"]

I applied it using this command. kubectl apply -f deployments-and-deployements-scale.yaml. Still I am unable to access the endpoint needed. Where am I making mistake?

like image 670
anushiya-thevapalan Avatar asked Dec 22 '22 21:12

anushiya-thevapalan

1 Answers

First, you are connecting correctly to the kubernetes API!

But the default serviceaccount ("user") you are using does not have the required privileges to perform the operation, that you want to do. (Reading the deployment 'ballerina-prima' in the namespace 'default')

What you need to do: Use a different serviceaccount or grant the permissions that are required to the default service account.

You can find detailed information in the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

like image 162
Thomas Avatar answered Dec 28 '22 23:12

Thomas
Sign in to Comment

Related questions

Kubernetes: Node vs Hosts vs Cluster terminology
kubernetes isn't overriding environment variables that were set in the Dockerfile
Why doesn't kubectl bash completion work on macOS/OS X?
Routing traffic to kubernetes cluster
Kubernetes Worker Node in Status NotReady
why is Kuberenetes kubeadm init command unable to pull the images from the repository k8s.gcr.io
kubectl exec failed with "container <command> is not valid for pod <pod_name>"
embeding conf files into helm chart
What's the difference between Kubernetes and Kubernetes Engine?
What is the advantage of in each deploy, building a new docker image containing the application instead of just updating the application?
Kubernetes: How to implement a Network ResourceQuota
curl: (7) Failed to connect to 192.168.99.100 port 31591: Connection refused
ImagePullBackOff error in Kubernetes while pulling docker images from private dockerhub registry
Is it possible to change subnet in Azure AKS deployment?
How do I make an ingress forward to an ssl port(443) if https traffic
Can I add initContainers to a kubernetes-cronjob?
How to use Local docker image in kubernetes via kubectl
How can fluent-bit add custom metadata to each event message being sent to splunk
Kubernetes: get actual resource limits inside container

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!