Reputation: 1337
Kubernetes API: cannot list resource "pods" in API group ""
I'm trying to make a pod that will serve as the controller for other pods, basically creating and stopping them as needed. I initially created a ServiceAccount, a Role, a RoleBinding, and a simple Alpine container that I can use for testing with curl, all within a new Namespace. Here's my YAML file for all of this:
apiVersion: v1
kind: Namespace
metadata:
name: nfv
labels:
name: nfv
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfv-svc
namespace: nfv
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nfv-role
namespace: nfv
rules:
- apiGroups:
- ''
resources:
- 'pods'
verbs:
- 'create'
- 'delete'
- 'get'
- 'list'
- 'patch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nfv-rolebind
subjects:
- kind: ServiceAccount
name: nfv-svc
namespace: nfv
roleRef:
kind: Role
name: nfv-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
name: sdn-test
namespace: nfv
spec:
serviceAccountName: nfv-svc
containers:
- image: alpine:3.9
name: sdn-test-container
command:
- sleep
- "10000"
Then I attach to the alpine test container and do the following:
apk add --update curl
CA_CERT=/run/secrets/kubernetes.io/serviceaccount/ca.crt
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -H "Authorization: Bearer $TOKEN" --cacert $CA_CERT https://kubernetes.default/api/v1/namespaces/$NAMESPACE/pods
Then I get the following output:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"system:serviceaccount:nfv:nfv-svc\" cannot list resource \"pods\" in API group \"\" in the namespace \"nfv\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
The Role should have sufficient permissions to list the pods in my namespace, so why is it not working? What am I missing? I'm using Kubernetes v1.18.2 on Ubuntu 16.04.
Upvotes: 12
Views: 37732
Answers (2)
Reputation: 847
Check the namespace & subscription you are trying to use.
Every namespace falls under some particular context. Make sure you have activated the correct context for the required namespace.
Command to check available context:
kubectl config view --minify --flatten
Command for updating context looks something like this:
az abc get-credentials --resource-group resource-group-rg --name name-goes-here-1 --subscription subscription-account-id-goes-here-1
Upvotes: 0
Reputation: 44549
There needs to be a namespace namespace: nfv in the RoleBinding because it's a namespace scoped resource.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nfv-rolebind
namespace: nfv
subjects:
- kind: ServiceAccount
name: nfv-svc
namespace: nfv
roleRef:
kind: Role
name: nfv-role
apiGroup: rbac.authorization.k8s.io
To verify the permission you can use below command
kubectl auth can-i list pods --as=system:serviceaccount:nfv:nfv-svc -n nfv
yes
Upvotes: 18
Related Questions
- pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:admin-user" cannot list resource "pods" in API group "" in the namespace "default"
- Kubernetes API: list pods with a label
- Kubernetes "pods.metrics.k8s.io "my-pod-name" is forbidden: User "system:serviceaccount:default:default" cannot get resource "pods"
- Can't access the Kubernetes apiserver from within a pod
- User \"system:anonymous\" cannot create resource \"pods\" using kubernetes api
- Kubernetes can not list pods as user
- Kubernetes user cannot list "pods" in namespace
- kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group ""
- EKS Kubernetes cannot list resource "namespaces" in API group "" at the cluster scope
- Kubernetes Unable to Access pods