My objective is to run the following command:
sudo pachctl deploy google ${BUCKET_NAME} ${STORAGE_SIZE} --dynamic-etcd-nodes=1
I face an error about permissions that I have(posted at last). So, I wanted to create my role via the following command:
sudo kubectl create clusterrolebinding aviralsrivastava-cluster-admin-binding --clusterrole=cluster-admin --user=aviral#socialcops.com
However, the above command is yielding me an error:
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "aviral#socialcops.com" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: Required "container.clusterRoleBindings.create" permission.
You need to apply following RBAC permission as a cluster-admin to provide permission to user aviral#socialcops.com for creating clusterRole and clusterRoleBinding:
ClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prom-admin
rules:
# Just an example, feel free to change it
- apiGroups: [""]
resources: ["clusterRole", "clusterRoleBinding"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prom-rbac
subjects:
- kind: User
name: aviral#socialcops.com
roleRef:
kind: ClusterRole
name: prom-admin
apiGroup: rbac.authorization.k8s.io
Related
I am trying to deploy a job that downloads a file to a PVC that I have successfully created. The method of deploying the job is by applying a yaml with the kubectl at command line (on windows).
kubectl apply -f file-download.yaml
I get this error:
Error from server (Forbidden): error when creating "file-download.yaml": jobs.batch is forbidden: User "token-{my user token}" cannot create resource "jobs" in API group "batch" in the namespace "{my context}"
I read that I must create a role and then bind that role to either the user or the job. So I did:
role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: mycontext
name: example-role
rules:
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example-rolebinding
namespace: mycontext
subjects:
- kind: User
name: token-mytoken
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
What I am looking to find out if I have done this correctly, and also how do you 'invoke' these files such that the new rules apply to what I am trying to do? Is it sufficient to leave these two files in the working directory, of is there a kubectl command to apply them, for example (Or maybe a spot in the file-download.yaml that I have to reference these files?
I have used ansible to create my k8s cluster on ubuntu machine and made ubuntu user passwordless to do so.
I am unable to run manifest file in my kubernetes cluster with jenkins user and getting error.
[Pipeline] sh
kubectl apply -f deployment.yml -f service.yml
Error from server (Forbidden): window.location.replace('/login?from=%2Fswagger-2.0.0.pb-v1%3Ftimeout%3D32s');
I tried to add below rbac but still getting same error.
ubuntu#controlpanel:~$ cat role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: jenkins
name: jenkins
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
ubuntu#controlpanel:~$ cat sa.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: jenkins
ubuntu#controlpanel:~$ cat rolbin.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: myaccount
hi everyone i am using GKE and i am trying use RBAC and restrict other user to a specific namespace.
here is my RBAC policy
apiVersion: v1
kind: Namespace
metadata:
name: team-1
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: team-1
name: team_1-rw
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: team-1
name: team_1-binding
subjects:
- kind: User
name: abc#example.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: team_1-rw
apiGroup: rbac.authorization.k8s.io
after applying this policy when try to login from user id and do kubectl get deployments , it does not restrict me to check deployments in the default namespace.it should only work for me team-1 namespace but it gives unlimited access to other namespaces aswell Also i have given the user kubernetes engine viewer permission in IAM
I am trying to delete tekton kubernetes resources in the context of a service account with an on-cluster kubernetes config, and am experiencing errors specific to accessing deletecollection with all tekton resources. An example error is as follows:
pipelines.tekton.dev is forbidden: User "system:serviceaccount:my-account:default" cannot deletecollection resource "pipelines" in API group "tekton.dev" in the namespace "my-namespace"
I have tried to apply RBAC to help here, but continue to experience the same errors. My RBAC attempt is as follows:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-role
namespace: my-namespace
rules:
- apiGroups: ["tekton.dev"]
resources: ["pipelines", "pipelineruns", "tasks", "taskruns"]
verbs: ["get", "watch", "list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-role-binding
namespace: my-namespace
subjects:
- kind: User
name: system:serviceaccount:my-account:default
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: my-role
apiGroup: rbac.authorization.k8s.io
These RBAC configurations continue to result in the same error. Is this, or similar necessary? Are there any examples of RBAC when interfacing with, specifically deleting, tekton resources?
Given two namespaces my-namespace and my-account the default service account in the my-account namespace is correctly granted permissions to the deletecollection verb on pipelines in my-namespace.
You can verify this using kubectl auth can-i like this after applying:
$ kubectl -n my-namespace --as="system:serviceaccount:my-account:default" auth can-i deletecollection pipelines.tekton.de
yes
Verify that you have actually applied your RBAC manifests.
Change the RBAC as below
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-role
namespace: my-namespace
rules:
- apiGroups: ["tekton.dev"]
resources: ["pipelines", "pipelineruns", "tasks", "taskruns"]
verbs: ["get", "watch", "list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-rolebinding
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: default
namespace: my-account
roleRef:
kind: Role
name: my-role
apiGroup: rbac.authorization.k8s.io
Few things to note:
Fixed subjects to use ServiceAccount from User. This is actually the cause of the failure because the service account was not granted the RBAC.
I assumed that you want to delete the Tekton resources in my-namespace by the default service account of my-account namespace . If it's different then changes in Role and RoleBinding need to be done accordingly.
I'm trying to create a read only user. I want the user to be able to list nodes and pods and view the dashboard. I got the certs created and can connect but I'm getting the following error.
$ kubectl --context minikube-ro get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "erst-operation" cannot list pods at the cluster scope
My cluster role...
$ cat helm/namespace-core/templates/pod-reader-cluster-role.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: '*'
name: pod-reader
rules:
- apiGroups: ["extensions", "apps"]
resources: ["pods"]
verbs: ["get", "list", "watch"]
My cluster role binding...
$ cat helm/namespace-core/templates/pod-reader-role-binding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: erst-operation
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
I'm aware the above shouldn't grant permissions to see the dashboard but how do I get it to just list the pods?
You cluster role should contain Core group as resource pods are in Core group.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: '*'
name: pod-reader
rules:
- apiGroups: ["extensions", "apps", ""]
resources: ["pods"]
verbs: ["get", "list", "watch"]