Home > OS >  Not able to access resource from kubernates operator
Not able to access resource from kubernates operator

Time:05-28

I am getting below error when I try to fetch resource(test-associations) which is created by assocOperator(kubernates operator deployed at stage level) in testns2 namespace from test-operator code (which is kubernates operator deployed at stage level) . Could some one please help what I am missing here?

Error :

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.17.0.1/apis/tc.secassoc/v1/namespaces/testns2/associations/test-associations. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. associations.tc.secassoc "test-associations" is forbidden: User "system:serviceaccount:test-operator:test-operator" cannot get resource "associations" in API group "tc.secassoc" in the namespace "testns2"

CodePudding user response:

You need to add proper RBAC permission to your operator's service account (i.e.test-operator).

If you're already creating a ClusterRole and a ClusterRoleBinding for the operator's service account. Make sure that the following rule exists in your rules section of ClusterRole:

rules:
- apiGroups: ["tc.secassoc"]
  resources: ["associations"]
  verbs: ["get", "watch", "list"]

If you are not creating any of the RBAC resources, create the followings:

  1. Create Cluster Role:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: associations-reader
rules:
- apiGroups: ["tc.secassoc"]
  resources: ["associations"]
  verbs: ["get", "watch", "list"]
$ kubectl apply -f cluster-role.yaml
  1. Create Cluster Role Binding:
$ kubectl create clusterrolebinding associations-reader-pod \
  --clusterrole=associations-reader  \
  --serviceaccount=test-operator:test-operator
  • Related