I am getting below error when I try to fetch resource(test-associations) which is created by assocOperator(kubernates operator deployed at stage level) in testns2 namespace from test-operator code (which is kubernates operator deployed at stage level) . Could some one please help what I am missing here?
Error :
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.17.0.1/apis/tc.secassoc/v1/namespaces/testns2/associations/test-associations. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. associations.tc.secassoc "test-associations" is forbidden: User "system:serviceaccount:test-operator:test-operator" cannot get resource "associations" in API group "tc.secassoc" in the namespace "testns2"
CodePudding user response:
You need to add proper RBAC permission to your operator's service account (i.e.test-operator).
If you're already creating a ClusterRole and a ClusterRoleBinding for the operator's service account. Make sure that the following rule exists in your rules section of ClusterRole:
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
If you are not creating any of the RBAC resources, create the followings:
- Create Cluster Role:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: associations-reader
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
$ kubectl apply -f cluster-role.yaml
- Create Cluster Role Binding:
$ kubectl create clusterrolebinding associations-reader-pod \
--clusterrole=associations-reader \
--serviceaccount=test-operator:test-operator