Home > Mobile >  kubernetes ServiceAccount Role Verification failed
kubernetes ServiceAccount Role Verification failed

Time:09-20

questions:

Create a service account name dev-sa in default namespace, dev-sa can create below components in dev namespace:

Deployment StatefulSet DaemonSet

result:

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: dev-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: sa-role
rules:
- apiGroups: [""]
  resources: ["deployment","statefulset","daemonset"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sa-rolebinding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: default
roleRef:
  kind: Role
  name: sa-role
  apiGroup: rbac.authorization.k8s.io

Validation:

kubectl auth can-i create deployment -n dev \
--as=system:serviceaccount:default:dev-sa
no

This is an exam question, but I can't pass

Can you tell me where the mistake is? thx

CodePudding user response:

in Role, use * on api group, and add s on resource name.

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: dev-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: sa-role
rules:
- apiGroups: ["*"]
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sa-rolebinding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: default
roleRef:
  kind: Role
  name: sa-role
  apiGroup: rbac.authorization.k8s.io

CodePudding user response:

First, the apiGroups of Deployment, daemonSet, and statefulSet is apps, not core. So, for the apiGroups value, instead of "", put "apps". (an empty string representing core)

Second, remember: resources always define in Plural of "kind". So, for resources values, you always should use plural names. e.g. instead of deployment, you use deployments

So, your file should be something like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: dev-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: sa-role
rules:
- apiGroups: ["apps"]
  resources: ["deployments","statefulsets","daemonsets"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sa-rolebinding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: default
roleRef:
  kind: Role
  name: sa-role
  apiGroup: rbac.authorization.k8s.io

For apiGroups's values, be sure to check the docs

I suggest you read this article about Users and Permissions in Kubernetes.

Page link:https//www.codepudding.com/Mobile/550764.html

Prev:How to group documents by several fields at once?
Next:How to add custom tag to the EKS cluster instance
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding