Home > Back-end >  Why the pods running with a service account with needed permissions cannot list pods?
Why the pods running with a service account with needed permissions cannot list pods?

Time:11-04

I have created a service account "serviceacc" in a namespace xyz and gave it needed permissions. Yet it could not list pods. Here are the steps I followed.

$kubectl create namespace xyz

$kubectl apply -f objects.yaml

Where content of objects.yaml

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: xyz
  name: listpodser
rules:
  - apiGroups: [""]
    resources: ["pod"]
    verbs: ["get", "list"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: xyz
  name: service-listpodser
subjects:
  - kind: ServiceAccount
    name: serviceacc 
    apiGroup: ""
roleRef:
  kind: Role
  name: listpodser
  apiGroup: ""

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: serviceacc
  namespace: xyz

Then I checked if the service account has permission to list pods:

$ kubectl auth can-i get pods --namespace  xyz --as system:serviceaccount:xyz:serviceacc
no

$ kubectl auth can-i list pods --namespace  xyz --as system:serviceaccount:xyz:serviceacc
no

As we can see from the output of above command, it cannot get/list pods.

CodePudding user response:

Simple naming confusion. Use pods instead of pod in the resource list.

Page link:https//www.codepudding.com/Backend/178055.html

Prev:having trouble making a method that creates a 2d array out of a T type unrolled linked list
Next:How to access Docker Desktop - minikube cluster from local machine?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding