Rubin Shrestha
Rubin Shrestha
Blog

Weird Autherization issue in Kubernetes

by |Published

I have configured this before, according to my notes I need to create two yaml files:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

and

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

This is what I wrote down last time I configured this, however, this time it no longer works.

In Kubernetes dashboard I get the following error:

statefulsets.apps is forbidden: User "system:serviceaccount:kubernetes- 
dashboard:kubernetes-dashboard-kong" cannot list resource "statefulsets" in API group 
"apps" in the namespace "default"

My user can see the cluster, so that is already something, I must have forgotten something. Note that this time, I am using a later version, 1.32, of kubernetes, that might be the thing, unsure.

UPDATE:

kubectl get pod --namespace "kubernetes-dashboard"

NAME                                                    READY   
STATUS      RESTARTS   AGE
kubernetes-dashboard-api-58788d78d8-bhnx5               1/1     Running     0          2d
kubernetes-dashboard-auth-777fdb77c5-g6g9b              1/1    Running     0          2d
kubernetes-dashboard-kong-64c6cbc84-rrv4z               1/1    Running     0          2d
kubernetes-dashboard-metrics-scraper-76df4956c4-hlrdh   1/1    Running     0          2d2h
kubernetes-dashboard-web-56df7655d9-2px8b               1/1    Running     0          2d

Update 1:

To generate the token to authenticate just now I had to perform this:

kubectl -n kubernetes-dashboard  create token kubernetes-dashboard-kong

Now, I can no longer see the cluster, my previous token was no longer valid.

When I specify the namespace in the URL I get this:

pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard-kong" cannot list resource "pods" in API group "" in the namespace "kubernetes-dashboard"

When I check for the role binding, it is there:

kubectl get ClusterRoleBinding -n kubernetes-dashboard
NAME                   ROLE            
admin-user             ClusterRole/cluster-admin

I also see service accounts:

kubectl get ServiceAccount -n kubernetes-dashboard
NAME                                   SECRETS   AGE
admin-user                             0         4h58m
default                                0         2d2h
kubernetes-dashboard-api               0         2d2h
kubernetes-dashboard-kong              0         2d2h
kubernetes-dashboard-metrics-scraper   0         2d2h
kubernetes-dashboard-web               0         2d2h

You may also like