jobs.batch is forbidden: User ' '"system:serviceaccount:default:default" cannot list resource "jobs" in API group "batch" in the namespace "default"

Question

I am using Kubernetes javascript client with, in-cluster configurations to interact with the cluster.

I am trying to get the list of jobs

app.js(Node)

app.get("/", (req, res) => {
  k8sApi2
    .listNamespacedJob("default")
    .then((res) => {
      console.log(res.body);
      res.send(res.body);
    })
    .catch((err) => console.log(err));
});

But this is the log of the pod I am getting.

Here are my deployment

Service

Also, I created a role and a role binding but still, I have no idea what makes this issue.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-apis
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-apis
rules:
  - apiGroups:
      - ""
      - "apps"
      - "batch"
    resources:
      - endpoints
      - deployments
      - pods
      - jobs
    verbs:
      - get
      - list
      - watch
      - create
      - delete
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-apis
  namespace: default
subjects:
  - kind: ServiceAccount
    name: node-apis
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: node-apis

I am new to Kubernetes, any help?

Answer 1

You need to use the service account by specifying it in the spec section of the pod.Since you are not doing that it's using the default service account which does not have Role and RoleBinding permitting the operation, leading to forbidden error.

spec:
  serviceAccountName: node-apis
  containers:
  ...

Alternatively you can give permission to the default service account in the RoleBinding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-apis
  namespace: default
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: node-apis