Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Cloud Kubernetes: What are cluster-reader permissions?

According to Spring Cloud Kubernetes docs, in order to discover services/pods in RBAC enabled Kubernetes distros:

you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API. For any service accounts you assign to a deployment/pod, you need to make sure it has the correct roles. For example, you can add cluster-reader permissions to your default service account depending on the project you’re in.

What are cluster-reader permissions in order to discover services/pods?

Error I receiving is:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://x.x.x.x/api/v1/namespaces/jx-staging/services. 
Message: Forbidden!Configured service account doesn't have access. 
Service account may have been revoked. services is forbidden: 
User "system:serviceaccount:jx-staging:default" cannot list services in the namespace "jx-staging"
like image 576
Michal Foksa Avatar asked Dec 06 '22 10:12

Michal Foksa


1 Answers

Read endpoints and services seems to be a bare minimum for Spring Cloud Kubernetes to discover pods and services.

Example adds permissions to default service account in default namespace.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-read-role
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  - services
  - configmaps
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-read-rolebinding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-read-role
  apiGroup: rbac.authorization.k8s.io
like image 97
Michal Foksa Avatar answered Dec 28 '22 08:12

Michal Foksa