kubernetes: RBAC issue : Error from server (Forbidden): pods is forbidden: User "root" cannot list pods in the namespace "shopping"

hello, I am getting following error :

[root@centos-master ~]# kubectl --context=root-context get pods --namespace=shopping Error from server (Forbidden): pods is forbidden: User “root” cannot list pods in the namespace “shopping” [root@centos-master ~]#

I have created role and role-binding as follows :

[root@centos-master ~]# cat deployment.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-manager
  namespace: shopping
  rules:
    -
      apiGroups:
        - ""
        - extensions
        - apps
      resources:
        - deployments
        - replicasets
        - pods
      verbs:
        - "*"

and rolebinding is as follows :

[root@centos-master ~]# cat rolebinding-deployment.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-manager-binding
  namespace: shopping
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: deployment-manager
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: root

using following command I have created the resources

kubectl create -f rolebinding-deployment.yaml kubectl create --validate=false -f deployment.yaml

here the kubectl config

[root@centos-master ~]# kubectl config view apiVersion: v1 clusters:

  • cluster: certificate-authority-data: REDACTED server: https://10.0.7.6:6443 name: kubernetes contexts:
  • context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes
  • context: cluster: kubernetes namespace: shopping user: root name: root-context current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users:
  • name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
  • name: root user: client-certificate: /etc/kubernetes/pki/root.crt client-key: /etc/kubernetes/pki/root.key [root@centos-master ~]#

my understanding is , using above role permission , u should be able to list and deploy pods … not getting why the error though… do I need to create the clusterole as well … I think , its not required as I am not doing anything on cluster level … I just need permission on namespace level and this configuration is enough I guess …

please suggest , how could I resolve this error … Thanks

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

you are trying to grant access to deployments in the extensions and apps API groups. that requires you to specify the extensions and apps api group in your role rules:

rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  - replicasets
  verbs:
  - '*'
+10
liggitt on Mar 16, 2018

I have created role and rolebinding in shopping name space only

Apparently not 😃

Delete the role and rolebinding from the default namespace, create them in the shopping namespace, and provide the output of:

kubectl get roles,rolebindings -n shopping -o yaml
+1
liggitt on Mar 16, 2018
Read more comments on GitHub
← kubernetes: range_allocator.go crashes the entire KCM if CIDRs are incorrect for a single node
kubernetes: Re-run initContainers in a Deployment when containers exit on error →