external-dns: Unknown Serviceaccount error

I have used the RBAC manifest for Digital Ocean, but get the following error when deployed to GKE.

external-dns	1 Jun 2018, 14:36:27	time=“2018-06-01T13:36:27Z” level=error msg=“services is forbidden: User "system:serviceaccount:default:default" cannot list services at the cluster scope: Unknown user "system:serviceaccount:default:default"”

Manifest

`apiVersion: v1 kind: ServiceAccount metadata: name: external-dns

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: external-dns rules:

apiGroups: [“”] resources: [“services”] verbs: [“get”,“watch”,“list”]
apiGroups: [“”] resources: [“pods”] verbs: [“get”,“watch”,“list”]
apiGroups: [“extensions”] resources: [“ingresses”] verbs: [“get”,“watch”,“list”]

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: external-dns-viewer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-dns subjects:

kind: ServiceAccount name: external-dns namespace: default

apiVersion: extensions/v1beta1 kind: Deployment metadata: name: external-dns spec: strategy: type: Recreate template: metadata: labels: app: external-dns spec: containers: - name: external-dns image: registry.opensource.zalan.do/teapot/external-dns:v0.5.1 args: - --source=service # ingress is also possible - --domain-filter=xxx.mydomain.com # (optional) limit to only example.com domains; change to match the zone created above. - --provider=digitalocean env: - name: DO_TOKEN value: “KEY”`

What do I need to do to make it work?

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 1
Comments: 16 (5 by maintainers)

Commits related to this issue

Add nodes view permissions Fixes #582 "User cannot list nodes at the cluster scope: Unknown user" — committed to rdeknijf/external-dns by rdeknijf 6 years ago
Add nodes permissions Fixes kubernetes-incubator/external-dns#582 — committed to rdeknijf/charts by rdeknijf 6 years ago
#582: Unknown Serviceaccount error Seems like there was attempts to fix it but change didn't make it to master — committed to dooman87/external-dns by dooman87 5 years ago
Merge pull request #1206 from dooman87/patch-1 #582: Unknown Serviceaccount error — committed to kubernetes-sigs/external-dns by k8s-ci-robot 5 years ago
Fix node permissions https://github.com/kubernetes-sigs/external-dns/issues/582 — committed to ivan-c/k8s-sandbox by ivan-c 3 years ago
integration_test: Refine cmd run utilities (#582) * integration_test: Refine cmd run utilities - refactored ITest.Run() to return ([]byte,error) - refactored all Run*** methods to use ITest.Run() T... — committed to lou-lan/external-dns by ahmetb 4 years ago

Most upvoted comments

I am still running into this issue using the new permissions and v0.5.4

burn2delete on Jul 4, 2018

I have a working cluster using:

- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","watch","list"]

burn2delete on Jul 27, 2018

@andreasolund I wrote a comment that 0.5.4 is available now

njuettner on Jun 28, 2018