Menu
I'm trying to make a pod that will serve as the controller for other pods, basically creating and stopping them as needed. I initially created a ServiceAccount, a Role, a RoleBinding, and a simple Alpine container that I can use for testing with curl, all within a new Namespace. Here's my YAML file for all of this:
apiVersion: v1
kind: Namespace
metadata:
name: nfv
labels:
name: nfv
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfv-svc
namespace: nfv
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nfv-role
namespace: nfv
rules:
- apiGroups:
- ''
resources:
- 'pods'
verbs:
- 'create'
- 'delete'
- 'get'
- 'list'
- 'patch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nfv-rolebind
subjects:
- kind: ServiceAccount
name: nfv-svc
namespace: nfv
roleRef:
kind: Role
name: nfv-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
name: sdn-test
namespace: nfv
spec:
serviceAccountName: nfv-svc
containers:
- image: alpine:3.9
name: sdn-test-container
command:
- sleep
- "10000"
Then I attach to the alpine test container and do the following:
apk add --update curl
CA_CERT=/run/secrets/kubernetes.io/serviceaccount/ca.crt
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -H "Authorization: Bearer $TOKEN" --cacert $CA_CERT https://kubernetes.default/api/v1/namespaces/$NAMESPACE/pods
Then I get the following output:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"system:serviceaccount:nfv:nfv-svc\" cannot list resource \"pods\" in API group \"\" in the namespace \"nfv\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
The Role should have sufficient permissions to list the pods in my namespace, so why is it not working? What am I missing? I'm using Kubernetes v1.18.2 on Ubuntu 16.04.
916
API groups make it easier to extend the Kubernetes API. The API group is specified in a REST path and in the apiVersion field of a serialized object. There are several API groups in Kubernetes: The core (also called legacy) group is found at REST path /api/v1 .
The Kubernetes API is a resource-based (RESTful) programmatic interface provided via HTTP. It supports retrieving, creating, updating, and deleting primary resources via the standard HTTP verbs (POST, PUT, PATCH, DELETE, GET).
Group information in Kubernetes is currently provided by the Authenticator modules and usually it's just string in the user property. Perhaps you can get the list of group from the subject of user certificate or if you use GKE, EKS or AKS the group attribute is stored in a cloud user management system.
There needs to be a namespace namespace: nfv in the RoleBinding because it's a namespace scoped resource.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nfv-rolebind
namespace: nfv
subjects:
- kind: ServiceAccount
name: nfv-svc
namespace: nfv
roleRef:
kind: Role
name: nfv-role
apiGroup: rbac.authorization.k8s.io
To verify the permission you can use below command
kubectl auth can-i list pods --as=system:serviceaccount:nfv:nfv-svc -n nfv
yes
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
