6

As per this Documentation, I am trying to access the Kuberenetes API from a pod, using the following command

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/default/deployments/ballerina-prime/scale

which follows the following template

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/{namespace}/deployments/{name}/scale

It throws the following error

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "deployments.extensions \"ballerina-prime\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments/scale\" in API group \"extensions\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "ballerina-prime",
    "group": "extensions",
    "kind": "deployments"
  },
  "code": 403
}

Can someone point out where I am making mistake or suggest any other way in which I can access the Kubernetes API?

Update 01

I created a Role as per the Documentation suggested. Following is the manifest I used.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployments-and-deployements-scale
rules:
- apiGroups: [""]
  resources: ["deployments", "deployments/scale"]
  verbs: ["get", "list"]

I applied it using this command. kubectl apply -f deployments-and-deployements-scale.yaml. Still I am unable to access the endpoint needed. Where am I making mistake?

anushiya-thevapalan
  • 561
  • 3
  • 5
  • 16

2 Answers2

6

First, you are connecting correctly to the kubernetes API!

But the default serviceaccount ("user") you are using does not have the required privileges to perform the operation, that you want to do. (Reading the deployment 'ballerina-prima' in the namespace 'default')

What you need to do: Use a different serviceaccount or grant the permissions that are required to the default service account.

You can find detailed information in the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Thomas
  • 11,272
  • 2
  • 24
  • 40
  • I tried as mentioned in the Documentation. Still I am unable to access the endpoint. I have updated the question with what I tried. Can you have a look at it and make suggestions? – anushiya-thevapalan Oct 22 '19 at 06:43
  • 2
    You need a RoleBinding in addition to assign the role to a subject (user). – Thomas Oct 22 '19 at 07:47
6

As @Thomas mentioned in the comment below his answer, you need to assign specific Role to the target Service account via RoleBinding resource in order to fix this authorization issue.

In reference to your manifest:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployments-and-deployements-scale
rules:
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "deployments/scale"]
  verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployments-and-deployements-scale-rb
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: Role
  name: deployments-and-deployements-scale
  apiGroup: ""

You may consider either explicitly set apiGroups: in Role definition, matching particular API groups or widely ["*"] seeking through the all API versions.

Nick_Kh
  • 5,089
  • 2
  • 10
  • 16
  • In the `apiVersion` I am using `v1` whereas in the request `curl --cacert ca.crt -H "Authorization: Bearer $( – anushiya-thevapalan Oct 22 '19 at 08:24
  • 1
    It depends from what api group you've created deployment resource: if `extensions/v1beta1` then `.../apis/extensions/v1beta1/..` or `apps/v1` then `.../apis/apps/v1/...` – Nick_Kh Oct 22 '19 at 08:40