Reputation: 10305
Kubernetes user cannot list "pods" in namespace
I am trying to map AWS IAM Role (Federated) to EKS RBAC, trying to follow this tutorial, but still get error
➜ kubectl edit configmap aws-auth -n kube-system
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapAccounts: |
[]
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
"username": "system:node:{{EC2PrivateDNSName}}"
- "rolearn": "arn:aws:iam::xxx:role/team-developers"
"username": "developer"
"groups":
- "system:master"
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-11T19:40:47Z"
name: aws-auth
namespace: kube-system
resourceVersion: "4627634"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d
➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"
Do I need to create RBAC for that User with the name "developer" and map all permissions? If so what would be a proper way of doing it?
I have installed rakkess with kubectl krew, and if I am trying it with AWS security short-term credentials I get this:
➜ k access-matrix -n edna
NAME LIST CREATE UPDATE DELETE
bindings ✖
certificaterequests.cert-manager.io ✖ ✖ ✖ ✖
certificates.cert-manager.io ✖ ✖ ✖ ✖
challenges.acme.cert-manager.io ✖ ✖ ✖ ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
endpoints ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
issuers.cert-manager.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
orders.acme.cert-manager.io ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✖ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖
services ✖ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
Thanks, Dmitry
Upvotes: 2
Views: 10088
Answers (1)
Reputation: 9174
You need to have role and rolebinding to list pods for that namespace
Create role
kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=ednaRolebinding for that role
kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n ednaAfter this run this command to check if you can get access or not.
kubectl auth can-i get pods -n edna --as developerand this command will returnyesthen your problem fixed.
For more information refer this document
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
Upvotes: 2
Related Questions
- Namespaces is forbidden error for a new user
- Kubernetes API: cannot list resource "pods" in API group ""
- Allow Kubernetes user list/get namespaces
- Why the pods running with a service account with needed permissions cannot list pods?
- why i can't create pods a a user with enough permissions in kubernetes
- Kubernetes can not list pods as user
- EKS Kubernetes cannot list resource "namespaces" in API group "" at the cluster scope
- ServiceAccount cannot list resource "pods" in namespace though it has role with appropriate resources
- Grant Kubernetes service account privileges to get pods from all namespaces
- kubernetes pods is forbidden: User "user1" cannot list pods in the namespace "stage"