New serviceaccount created for kubernetes cluster cannot exec into pods

Question

I have a script that creates users with specific access.

the script runs the following commands:

kubectl create serviceaccount username
kubectl create clusterrole readonlyuser --non-resource-url=* --verb=get,list,watch --resource=pods,pods/attach,pods/exec,pods/port-forward,pods/proxy,services/proxy
kubectl create clusterrolebinding username --serviceaccount=default:username --clusterrole=readonlyuser
kubectl create rolebinding username --serviceaccount=default:username --clusterrole=readonlyuser --namespace=namespace

When I try to exec into a pod in that specific namespace I get the following:

Error from server (Forbidden): pods "<podname>" is forbidden: User "system:serviceaccount:default:username" cannot create resource "pods/exec" in API group "" in the namespace "namespace"

Any idea how to fix this?

Answer 1

The error message state the following:

 cannot create resource "pods/exec" in API group "" in the namespace "namespace"

So created another clusterrole and rolebinding as follow:

kubectl create clusterrole exec-readonlyuser --verb create --resource pods/exec
kubectl create rolebinding exec-readonlyuser --clusterrole=exec-readonlyuser --serviceaccount default:namespace -n namespace

now tried to exec and it is working.

 kubectl exec -it nginx --as system:serviceaccount:namespace:username -- sh
 #
 #exit

If you are using yaml then this could be added as another rule in same clusterrole.