I have created a GKE Service Account.
I have been trying to use it within GKE, but I get the error:
pods "servicepod" is forbidden: error looking up service account service/serviceaccount: serviceaccount "serviceaccount" not found
I have followed the setup guide in this documentation.
1.Created a GCP Service Account called "serviceaccount"
2.I created, and downloaded the JSON key as key.json.
3.kubectl create secret generic serviceaccountkey --from-file key.json -n service
4.Added the following items to my deployment:
spec:
volumes:
- name: serviceaccountkey
secret:
secretName: serviceaccountkey
containers:
volumeMounts:
- name: serviceaccountkey
mountPath: /var/secrets/google
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
When I deploy this out, I get:
pods "service-7cdbcc67b9-" is forbidden: error looking up service account service/serviceaccount: serviceaccount "serviceaccount" not found
I'm not sure what else to do to get this working, I've followed the guide and can't see anything that's been missed.
Any help on this would be greatly appreciated!
CodePudding user response:
One of the reasons for getting this error can be if you have created a service account in one namespace and trying to use that service account only for another namespace.
We can resolve this error by rolebinding the service account with a new namespace. If the existing service account is in default namespace then you can use this YAML file with the new namespace for rolebinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-enforce-default
namespace: <new-namespace>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-enforce
subjects:
- kind: ServiceAccount
name: kubernetes-enforce
namespace: kube-system
Refer to this similar issue for more information.
CodePudding user response:
This was fixed by using Workload Identity to bind the K8s Service account to the GCP IAM service account:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity