TL;DR Kubectl Forbidden error when using a service account with kubeconfig, but not other authentication methods. What could I did wrong ?
Apologies in advance if dupplicate, I couldn't find my specific scenario and tried all answers that popped on searches.
I have a self deployed Kubernetes 1.27 cluster, and aim to create a service account with all rights on a predefined set of namespaces. I want to create the kubeconfig file for this account to share with my team.
My user definition :
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-team
---
apiVersion: v1
kind: Secret
metadata:
name: dev-team-user-secret
annotations:
kubernetes.io/service-account.name: dev-team
type: kubernetes.io/service-account-token
Roles and bindings :
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: all-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-user-bindings
namespace: dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: all-role
subjects:
- kind: User
name: dev-team
apiGroup: rbac.authorization.k8s.io
---
# copy previous rolebinding for each namespace
- I check my service account is working with :
kubectl get pods -n dev--as=dev-team
> NAME READY STATUS RESTARTS AGE
> pod-name 1/1 Running 5 (45h ago) 46h
And forbidden errors on other namespaces as expected.
Then, I created my kubeconfig by following this
And it looks like :
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: ###
server: https://###:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dev-team
namespace: default
name: dev-team@kubernetes
current-context: dev-team@kubernetes
preferences: {}
users:
- name: dev-team
user:
token: ###
- Issue, when i use my kubeconfig :
kubectl get pods -n dev --kubeconfig=kubeconfig
> Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:dev-team" cannot list resource "pods" in API group "" in the namespace "dev"
I add this in case it helps:
kubectl auth can-i --list --as=dev-team
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
kubectl auth can-i --list --kubeconfig=kubeconfig
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
