Kubernetes pull infomation from endpoints REST API

Question

I trying to create a service account with permissions to get information about endpoints pod IPs and getting back a permissions problem.

Creating the service account and give it the right permissions:

$ kubectl create role endpoints-reader --verb=get --verb=list --resource=endpoints
$ kubectl create serviceaccount endpoints-reader-sa
$ kubectl create rolebinding default-endpoints-reader --role=endpoints-reader --serviceaccount=endpoints-reader-sa:endpoints-reader-sa

Adding this sa to the deployment YAML file:

...
spec:
  serviceAccountName: endpoints-reader-sa
  containers:
  - name: ...

I stated the pod and logged in into it (ssh). Now I want to run a REST call to pull the information:

$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token);
$ curl https://kubernetes.default.svc/api/v1/namespaces/XXX/endpoints --silent --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "endpoints is forbidden: User \"system:serviceaccount:XXX:endpoints-reader-sa\" cannot list resource \"endpoints\" in API group \"\" in the namespace \"XXX\"",
  "reason": "Forbidden",
  "details": {
    "kind": "endpoints"
  },
  "code": 403
}

What I'm doing wrong?

Answer 1

OK... Found the issue.

So, this line:

kubectl create rolebinding default-endpoints-reader --role=endpoints-reader --serviceaccount=endpoints-reader-sa:endpoints-reader-sa

should be changed to this:

kubectl create rolebinding default-endpoints-reader --role=endpoints-reader --serviceaccount=XXX:endpoints-reader-sa

Where XXX is the namespace name. Similar problem you can find here.