CODEWITHSUNDEEP
kuberneteskubernetes-helmk8s-serviceaccountk8s-rolebindingk8s-cluster-role
mr.Gray
mr.Gray

Reputation: 51

Allow K8s serviceAccount to read clusterroles, problem when trying to deploy ingress-nginx helm chart with jenkins

I'm trying to deploy ingress-nginx helm chart to K8s with Jenkins running in container.

Kubernetes version: 1.25.4 and Helm chart: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx

I have created service account for Jenkins to access K8s. And currently by using that service account-access token I can like list pods in all namespaces. But when I try to deploy helm chart, I'm hitting error:

Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:devops-tools:jenkins-admin" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

How I should create the serviceAccount so that I could list clusterroles?

kubectl auth can-i get clusterroles --as=system:serviceaccount:devops-tools:jenkins-admin -A

Here is the service service account, cluster role and role binding template that is use:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: jenkins-admin
rules:
  - apiGroups: [""]
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-admin
  namespace: devops-tools

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: jenkins-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: jenkins-admin
subjects:
- kind: ServiceAccount
  name: jenkins-admin
  namespace: devops-tools

Upvotes: 0

Views: 500

Answers (1)

Dharani Dhar Golladasari
Dharani Dhar Golladasari

Reputation: 1012

Create a ServiceAccount with cluster admin role for this purpose like this

$kubectl create sa jenkins-admin -n devops-tools

Now add a clusterrolebinding for the service account as follows

$kubectl create clusterrolebinding jenkins-admin \ 

 --clusterrole=cluster-admin \

 --serviceaccount=devops-tools:jenkins-admin

You can now verify the permission by using the following command

kubectl auth can-i list clusterroles --as=system:serviceaccount:devops-tools:jenkins-admin

For more detailed information refer to the 5th point in this official k8's docs

You can have a glance at the Blog written by Roy Kim, which contains a similar error reference.

Upvotes: 0

Related Questions