Reputation: 87
Kubernetes Service Account for Jobs
I have a requirement to invoke a Kubernetes job from another pod in the same namespace in a RBAC enabled cluster. The job is created using the C# Kubernetes client library. This task works correctly on a test environment that does not have RBAC enabled.
After following the Kubernetes documentation for creating a Service Account, I have the following YAML.
apiVersion: v1
kind: ServiceAccount
metadata:
name: x20-jobs-sp
namespace: prod
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: prod
name: x20-jobs-sp-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: x20-jobs-sp-rolebinding
namespace: prod
subjects:
- kind: ServiceAccount
# Reference to ServiceAccount kind's `metadata.name`
name: x20-jobs-sp
# Reference to ServiceAccount kind's `metadata.namespace`
namespace: prod
roleRef:
kind: ClusterRole
name: x20-jobs-sp-role
apiGroup: rbac.authorization.k8s.io
This is the code that invokes the job.
var job = await client.CreateNamespacedJobAsync(new k8s.Models.V1Job
{
Metadata = new k8s.Models.V1ObjectMeta
{
Name = safeName
},
Spec = new k8s.Models.V1JobSpec
{
Template = new k8s.Models.V1PodTemplateSpec
{
Spec = new k8s.Models.V1PodSpec
{
Containers = new List<k8s.Models.V1Container>()
{
new k8s.Models.V1Container
{
Image = $"{_containerRegistry}/{jobName}:{_imageTag}",
Args = args.Select(x => x.ToString()).ToList(),
Env = GetDefaultEnvironment(),
Name = safeName,
ImagePullPolicy = "Always"
}
},
ImagePullSecrets = new List<k8s.Models.V1LocalObjectReference>
{
new k8s.Models.V1LocalObjectReference
{
Name = _containerRegistry
}
},
RestartPolicy = "OnFailure",
ServiceAccountName = "x20-jobs-sp" // jobs service principal
}
},
TtlSecondsAfterFinished = _ttlSecondsAfterFinished
}
}, _namespace);
This correctly create's the ServiceAccount, ClusterRole and ClusterRoleBinding, however attempting to invoke the task still result's in a Forbidden result.
I've attempted a number of different options for the ClusterRole including using the built in cluster-admin role, all without success. This has been tested using the kubectl auth can-i command.
What am I missing?
Upvotes: 4
Views: 11793
Answers (1)
Reputation: 87
So it turned out that the cause was the default service account for the pod that was attempting to invoke the job didn't have the necessary rolebindings.
I tested this by adding the cluster-admin RoleBinding to the default service account in the namespace and invoking the job.
kubectl create clusterrolebinding --user system:serviceaccount:prod:default prod-cluster-admin --clusterrole cluster-admin
Upvotes: 2
Related Questions
- Cannot create service account in Kubernetes v1.25.5
- How to configure a non-default serviceAccount on a deployment
- How to configure kubectl to act as a service account?
- Kubernetes configuration: Specify different service account
- kubernetes service account permissions
- How to create a service account with no permissions in Kubernetes?
- How to login to Kubernetes using service account?
- Kubernetes service account with cluster role
- Create ServiceAccounts for access to the Kubernetes Deployments
- Service account - access through API