0

I have a helm chart that I have created. In this chart, I have a template for a Job with a post-install hook (code below), custom resource, and config map.

apiVersion: batch/v1
kind: Job
metadata:
  name: postinstall-hook
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-delete-policy": hook-succeeded # hooks are not deleted witout this annotation
spec:
  serviceAccountName: {{ .Values.serviceAccount }}
  automountServiceAccountToken: true
  template:
    spec:
      containers:
      - name: kubectl
        image: bitnami/kubectl
        imagePullPolicy: Always
        command: ["/bin/bash", "-c", "while true; do running_jobs=$(kubectl get jobs -n {{ .Release.Namespace }} -o jsonpath='{.items[?(@.status.active==1)].metadata.name}'); if [ -z \"$running_jobs\" ]; then echo \"All jobs have completed\"; break; else echo \"Waiting for the following jobs to complete: $running_jobs\"; sleep 30; fi; done"]
      restartPolicy: Never
      terminationGracePeriodSeconds: 10

When I'm installing using helm I'm using a specific service account. The service account has permission to namespace called: ns1, but I want to deploy it on namespace n2, so I have added to the existing service account one more role and role binding for this service account to perform actions on another namespace.

When I'm deploying the chart, the job failed with an error:

Error creating: pods "postinstall-hook-" is forbidden: error looking up service account ns2/serviceaccountname: serviceaccount "serviceaccount" not found

it's true that the service account doesn't exist in this namespace. But I want to use the service account that exists on namespace ns1 so for this reason I created the role and role binding.

Service accout manifest:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: devops-deploy
  namespace: devops
automountServiceAccountToken: false

---

apiVersion: v1
kind: Secret
metadata:
  name: devops-deploy-secret
  namespace: devops
  annotations:
    kubernetes.io/service-account.name: devops-deploy
type: kubernetes.io/service-account-token

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devops-deploy-role
  namespace: devops
rules:
- apiGroups: ["apps"]
  resources: ["deployments","replicasets"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create","get","watch","list","update","patch","delete"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["*"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["*"]
- apiGroups: ["k6.io"]
  resources: ["k6s"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["batch", "extensions"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# - apiGroups: ["apps"]
#   resources: ["replicasets"]
#   verbs: ["get","create","delete","update","list","watch"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devops-deploy-rb
  namespace: devops
subjects:
- kind: ServiceAccount
  name: devops-deploy
roleRef:
  kind: Role
  name: devops-deploy-role
  apiGroup: rbac.authorization.k8s.io

---
###
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: job-exec-from-ns1
  namespace: k6
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: devops-deploy-role
subjects:
- kind: ServiceAccount
  name: devops-deploy
  namespace: devops

### Stack Over Flow answer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kube-describe-cr
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","create","delete","update","list","watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-describe-crb
subjects:
- kind: ServiceAccount
  name: devops-deploy
  namespace: devops
roleRef: 
  kind: ClusterRole
  name: kube-describe-cr
  apiGroup: rbac.authorization.k8s.io
Ido Segal
  • 430
  • 2
  • 7
  • 20

1 Answers1

0

You simply create a RoleBinding of the SA on namespace N1 to namespace N2.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: job-exec-from-ns1
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: job-exec
subjects:
- kind: ServiceAccount
  name: ns1-service-account
  namespace: ns1

If you still have problems, please share the RBAC and RoleBinding manifests.

glv
  • 994
  • 1
  • 1
  • 15
  • Hi, I have added it but still have an issues: `##[error]Error: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:devops:devops-deploy" cannot list resource "secrets" in API group "" in the namespace "k6": RBAC: role.rbac.authorization.k8s.io "job-exec" not found` The manifest added. – Ido Segal Mar 30 '23 at 14:23
  • *RBAC: role.rbac.authorization.k8s.io "job-exec" not found*; are you sure that the role job-exec exist? – glv Mar 30 '23 at 14:26
  • It doesn't exist, but I also added the devops-deploy-role and the issue is the same. – Ido Segal Mar 30 '23 at 14:27
  • oh ok, i saw the things that you added in the answer. Try adding *namespace: devops* in the roleRef section in the RoleBinding that i sent to you. – glv Mar 30 '23 at 14:40
  • It seems that namespace under `roleRef` not working. `error validating data: ValidationError(RoleBinding.roleRef): unknown field "namespace" in io.k8s.api.rbac.v1.RoleRef; if you choose to ignore these errors, turn validation off with --validate=false` – Ido Segal Mar 30 '23 at 14:44
  • mm ok, try to replicate the Role in the k6 ns.. – glv Mar 30 '23 at 14:48
  • I have replicated the role in k6 ns and now I'm getting the same error, but on the service account name.. `Error creating: pods "postinstall-hook-" is forbidden: error looking up service account k6/devops-deploy: serviceaccount "devops-deploy" not found` – Ido Segal Mar 30 '23 at 14:58
  • I have a job that I have specified the service account in the template, because when service account isn't specified, it's trying to use the default one. Maybe it's related to the error? I have added also the Job template. – Ido Segal Mar 30 '23 at 15:01