1

I am trying to use Openshift REST-API's to get the status of my cron-jobs. I am the admin of my namespace but I don't have cluster access so I can't do anything on cluster level.

Now, to get the status, I am first creating the role :

# oc create role podreader --verb=get --verb=list --verb=watch --resource=pods,cronjobs.batch,jobs.batch
role.rbac.authorization.k8s.io/podreader created

But when I try to add a role to a service account it fails.

# oc create serviceaccount nagios 
# oc policy add-role-to-user podreader system:serviceaccount:uc-immoscout-dev:nagios
Warning: role 'podreader' not found
Error from server (NotFound): clusterroles.rbac.authorization.k8s.io "podreader" not found

My main intention is to to get the status of my cron-jobs, jobs and pods which I am scheduling.

dataplumber
  • 375
  • 3
  • 16

1 Answers1

3

You'll have to add --role-namespace=namespace-of-role to the oc policy add-role-to-user command otherwise the role is treated as a cluster role.

From the docs:

--role-namespace='': namespace where the role is located: empty means a role defined in cluster policy

derkoe
  • 5,649
  • 2
  • 23
  • 31
  • Thanks for alot koe. The role is added properly still I am not able to get the status of my cronjob. "status": "Failure", "message": "cronjobs.batch \"mycronjob\" is forbidden: User \"system:serviceaccount:myproject-namespace:nagios\" cannot get cronjobs.batch/status in the namespace \"myproject-namespace\": no RBAC policy matched", "group": "batch", "kind": "cronjobs" "code": 403 Commands Used : # oc serviceaccounts get-token nagios # curl -k -H "Authorization: Bearer $TOKEN" -H 'Accept: application/json' https://$ENDPOINT/apis/batch/v2alpha1/namespaces/$NAMESPACE/cronjobs – dataplumber Sep 15 '20 at 07:47
  • I guess you should create another question for this. – derkoe Sep 15 '20 at 08:43