Reputation: 422
Error looking up service account when using role binding
I have a helm chart that I have created. In this chart, I have a template for a Job with a post-install hook (code below), custom resource, and config map.
apiVersion: batch/v1
kind: Job
metadata:
name: postinstall-hook
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-delete-policy": hook-succeeded # hooks are not deleted witout this annotation
spec:
serviceAccountName: {{ .Values.serviceAccount }}
automountServiceAccountToken: true
template:
spec:
containers:
- name: kubectl
image: bitnami/kubectl
imagePullPolicy: Always
command: ["/bin/bash", "-c", "while true; do running_jobs=$(kubectl get jobs -n {{ .Release.Namespace }} -o jsonpath='{.items[?(@.status.active==1)].metadata.name}'); if [ -z \"$running_jobs\" ]; then echo \"All jobs have completed\"; break; else echo \"Waiting for the following jobs to complete: $running_jobs\"; sleep 30; fi; done"]
restartPolicy: Never
terminationGracePeriodSeconds: 10
When I'm installing using helm I'm using a specific service account. The service account has permission to namespace called: ns1, but I want to deploy it on namespace n2, so I have added to the existing service account one more role and role binding for this service account to perform actions on another namespace.
When I'm deploying the chart, the job failed with an error:
Error creating: pods "postinstall-hook-" is forbidden: error looking up service account ns2/serviceaccountname: serviceaccount "serviceaccount" not found
it's true that the service account doesn't exist in this namespace. But I want to use the service account that exists on namespace ns1 so for this reason I created the role and role binding.
Service accout manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: devops-deploy
namespace: devops
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
name: devops-deploy-secret
namespace: devops
annotations:
kubernetes.io/service-account.name: devops-deploy
type: kubernetes.io/service-account-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops-deploy-role
namespace: devops
rules:
- apiGroups: ["apps"]
resources: ["deployments","replicasets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","get","watch","list","update","patch","delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["*"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["k6.io"]
resources: ["k6s"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# - apiGroups: ["apps"]
# resources: ["replicasets"]
# verbs: ["get","create","delete","update","list","watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops-deploy-rb
namespace: devops
subjects:
- kind: ServiceAccount
name: devops-deploy
roleRef:
kind: Role
name: devops-deploy-role
apiGroup: rbac.authorization.k8s.io
---
###
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-exec-from-ns1
namespace: k6
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-deploy-role
subjects:
- kind: ServiceAccount
name: devops-deploy
namespace: devops
### Stack Over Flow answer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-describe-cr
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","create","delete","update","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-describe-crb
subjects:
- kind: ServiceAccount
name: devops-deploy
namespace: devops
roleRef:
kind: ClusterRole
name: kube-describe-cr
apiGroup: rbac.authorization.k8s.io
Upvotes: 1
Views: 1357
Answers (1)
Reputation: 1187
You simply create a RoleBinding of the SA on namespace N1 to namespace N2.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-exec-from-ns1
namespace: ns2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: job-exec
subjects:
- kind: ServiceAccount
name: ns1-service-account
namespace: ns1
If you still have problems, please share the RBAC and RoleBinding manifests.
Upvotes: 0
Related Questions
- Can't resolve 'kubernetes' by skydns service in Kubernetes
- Airflow - KubernetesPodOperator - Role binding a service account
- Error creating service account using Helm on Kubernetes
- Service account role bindings not working for API access
- NGINX controller install on Azure Kubernetes service
- Error while accessing Web UI Dashboard using RBAC