0

So does anyone know exactly what I need to put in my ServiceAccount yaml in order not to be denied access to my ServiceAccount when i try to list things via the REST API: curl https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/persistentvolumeclaims -X GET -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" User "system:serviceaccount:default:my-service-service-account" cannot list persistentvolumeclaims in the namespace "default".

My RBAC serviceAccount is setup as follows in the YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.service.name }}-service-account
  labels:
    app: {{ .Values.service.name }}
automountServiceAccountToken: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: {{ .Values.service.name }}-role
  labels:
    app: {{ .Values.service.name }}
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list","delete"]
- apiGroups: [""] # "" indicates the core API group
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ .Values.service.name }}-role-binding
  labels:
    app: {{ .Values.service.name }}
subjects:
  - kind: ServiceAccount
    # Reference to upper's `metadata.name`
    name: {{ .Values.service.name }}-service-account
    # Reference to upper's `metadata.namespace`
    namespace: default
roleRef:
  kind: Role
  name: {{ .Values.service.name }}-role
  apiGroup: rbac.authorization.k8s.io
zach
  • 11
  • 1
  • Please take a [tour](https://stackoverflow.com/tour) on how to ask a good question. Then comeback and edit your question. – UmarZaii Aug 19 '17 at 04:54

1 Answers1

0

The role you've shown only allows get/list/watch/delete permissions on pods in the default namespace

If you want list permissions on persistent volume claims, you need to include that verb and resource in your role as well

Jordan Liggitt
  • 16,933
  • 2
  • 56
  • 44
  • So I added the following: - apiGroups: [""] # "" indicates the core API group resources: ["persistentvolumeclaims"] verbs: ["get", "watch", "list","delete"] – zach Aug 21 '17 at 16:29