Reputation: 184
User cannot list resource at the cluster scope - Kubernetes HTTP Endpoints
kubernetes v1.23.6
rancher-desktop v1.3.0
I'm attempting to utlize the Kubernetes API HTTP endpoints from inside a pod. I have a Service Account Set up which should have the permissions to hit the API and return data, but I'm unable to get any useful results.
I'm getting a 403 Forbidden on elements I believe should be accessible to the ServiceAccount.
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://kubernetes.default.svc/api/v1/default/pods/ubuntu
Where $KUBE_TOKEN is the value read from /var/run/secrets/kubernetes.io/serviceaccount/token
Returns:
https://kubernetes.default.svc/api/v1/default/pods/ubuntu
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "default \"pods\" is forbidden: User \"system:serviceaccount:default:podkiller\" cannot get resource \"default/ubuntu\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "pods",
"kind": "default"
},
"code": 403
I originally had Role instead of ClusterRole and that allowed me to use the API, before that any request made would return forbidden.
I looked at some other posts 1 2 3, but all seemed to be issues with either namespaces or not binding roles and accounts, which I think I have done correctly.
ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: podkiller
automountServiceAccountToken: true
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: podkiller
rules:
- apiGroups: [""]
resources: ["pods","nodes"]
verbs: ["get", "watch", "list", "delete"]
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: podkiller
subjects:
- kind: ServiceAccount
name: podkiller
namespace: default
roleRef:
kind: ClusterRole
name: podkiller
apiGroup: rbac.authorization.k8s.io
Pod
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
serviceAccountName: podkiller
automountServiceAccountToken: true
containers:
- image: ubuntu
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: ubuntu
restartPolicy: Always
Upvotes: 0
Views: 3709
Answers (1)
Reputation: 151
May I ask that which namespace does your Service Account podkiller reside? I suspect it's not in the namespace default as your ClusterRoleBinding indicates. Change it to the correct namespace might resolve your issue.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: podkiller
subjects:
- kind: ServiceAccount
name: podkiller
namespace: default => correct namespace
roleRef:
kind: ClusterRole
name: podkiller
apiGroup: rbac.authorization.k8s.io
Upvotes: 0
Related Questions
- RBAC access denied when deploying an API on kubeflow cluster
- Kubernetes 403 Forbidden querying API with good RBAC credentials
- User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope
- Why must I explicitly set a namespace for the ServiceAccount of ClusterRoleBinding.rbac.authorization.k8s.io resource?
- securityContext.privileged: Forbidden: disallowed by cluster policy
- Kubernetes user cannot list "pods" in namespace
- Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
- Kubernetes-dashboard empty : every resources are forbidden
- ServiceAccount cannot list resource "pods" in namespace though it has role with appropriate resources
- Failed to discover supported resources