Reputation: 6969
Kubernetes RBAC authentication for default user
I am using kops in AWS to create my Kubernetes cluster.
I have created a cluster with RBAC enabled via --authorization=RBAC as described here.
I am trying to use the default service account token to interact with the cluster and getting this error:
Error from server (Forbidden): User "system:serviceaccount:default:default" cannot list pods in the namespace "default". (get pods)
Am I missing a role or binding somewhere?
Upvotes: 3
Views: 1642
Answers (2)
Reputation: 131
I thing it is not a good idea to give the cluster-admin role to default service account in default namespace.
If you will give cluster-admin access to default user in default namespace - every app (pod) that will be deployed in cluster, in default namespace - will be able to manipulate the cluster (delete system pods/deployments or make other bad stuff).
By default the clusterrole cluster-admin is given to default service account in kube-system namespace. You can use it for interacting with cluster.
Upvotes: 2
Reputation: 19143
try to give admin role and try.
kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=default:default
Upvotes: 0
Related Questions
- Kubernetes namespace default service account
- how to retrieve current user granted RBAC with kubectl
- Create user in Kubernetes for kubectl
- Restricted Kubernetes Service account
- How do I authenticate with Kubernetes kubectl using a username and password?
- Kubernetes RBAC default user
- kubernetes/kops: Default user and permissions
- restricting EKS user access
- EKS Kubernetes user with RBAC seen as system:anonymous
- Implementing RBAC, the default user still retains access even after applying roleBinding