Home > OS >  cannot create resource "namespaces" in API group ""
cannot create resource "namespaces" in API group ""

Time:08-31

This is my ClusterRoleBinding and ClusterRole defination

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bootstrap
subjects:
- kind: ServiceAccount
  name: executors
  namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
- apiGroups:
  - '*'
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

The service account

[node1 ~]$ kubectl  get sa executors  -n bootstrap -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-08-30T19:51:17Z"
  name: executors
  namespace: bootstrap
  resourceVersion: "2209"
  uid: 488f5a2d-c44d-4db1-8d18-11a4f0206952
secrets:
- name: executors-token-2b2wl

The test Config

[node1 ~]$ kubectl create namespace test  --as=executors
Error from server (Forbidden): namespaces is forbidden: User "executors" cannot create resource "namespaces" in API group "" at the cluster scope
[no
[node1 ~]$ kubectl auth can-i create namespace --as=executors
Warning: resource 'namespaces' is not namespace scoped
no

Why I'm getting the above error I did follow the k8's doc of ClusterRoleBinding here

CodePudding user response:

Try this and let me know how it goes.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bootstrap
subjects:
- kind: ServiceAccount
  name: executors
  namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
- apiGroups:
  - ''
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

I see that in my cluster ClusterRole system:controller:namespace-controller have apiGroups of '' instead of '*' seen in your original ClusterRole.

CodePudding user response:

You're not creating clusterrole correctly, please use the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
  - apiGroups: [""]
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete

Either use

apiGroups: [""]

OR

- apiGroups:
  - ''

Refer to documentation for more details: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

  • Related