4

I have tried to run this YAML fine, but I am getting the below issue 1 master 2 nodes has been configured and I ran kubectl get nodes output looks fine

kubectl apply -f https://k8s.io/examples/application/deployment.yaml

then I have downloaded the file locally and tried, but again same error

Error from server (Forbidden) :

deployments.extensions "nginx-deployment" is forbidden: User "system:node:master" cannot get deployments.extensions in the namespace "default" root@master:~#

Please assist me to resolve the issue

Jonas
  • 121,568
  • 97
  • 310
  • 388
Manikandan
  • 49
  • 2
  • 6
  • Seems you're executing it from the machine where your control plane runs, did you try it from outside of the cluster yet? – Michael Hausenblas Jul 05 '18 at 14:19
  • root@master:/home# kubectl create -f https://raw.githubusercontent.com/kubernetes/website/master/docs/concepts/cluster-administration/nginx-deployment.yaml error: unable to read URL "https://raw.githubusercontent.com/kubernetes/website/master/docs/concepts/cluster-administration/nginx-deployment.yaml", server reported 404 Not Found, status code=404 – Manikandan Jul 05 '18 at 15:38
  • The correct URL is https://raw.githubusercontent.com/kubernetes/website/master/content/en/docs/concepts/cluster-administration/nginx-deployment.yaml – Michael Hausenblas Jul 05 '18 at 17:45

1 Answers1

3

This is a RBAC restriction about which you can read on Kubernetes - Using RBAC Authorization docs.

You want to create your own ServiceAccount then Role and then bind them together using RoleBinding.

ServiceAccount example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: some-name
  namespace: my-name

Role example

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: some-name
  namespace: my-name
rules:
  - apiGroups: ["extensions"]
    resources: ["deployments"]
    verbs: ["get","list","patch","update"]

RoleBinding example

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: some-name
  namespace: my-name
subjects:
  - kind: ServiceAccount
    name: some-name
    namespace: my-name
roleRef:
  kind: Role
  name: some-name
  apiGroup: rbac.authorization.k8s.io

There are examples online which you can find.

Crou
  • 10,232
  • 2
  • 26
  • 31