Kubernetes rbac pod/exec 创建操作被禁止

Question

I am working on the operator and using operator-sdk for operator development. I am doing pod exec for some business logic but it kept on failing with the following error:

Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}

Following is the definition role:

Name:         manager-role
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
  Resources                                  Non-Resource URLs  Resource Names  Verbs
  ---------                                  -----------------  --------------  -----
  statefulsets.''/finalizers                 []                 []              [create delete get list patch update watch]
  configmaps                                 []                 []              [create delete get list patch update watch]
  persistentvolumeclaims                     []                 []              [create delete get list patch update watch]
  secrets                                    []                 []              [create delete get list patch update watch]
  services                                   []                 []              [create delete get list patch update watch]
  statefulsets.apps                          []                 []              [create delete get list patch update watch]
  teststapps.example.com                     []                 []              [create delete get list patch update watch]
  teststapps.example.com/finalizers          []                 []              [create delete get patch update]
  pods/exec                                  []                 []              [create get]
  pods/log                                   []                 []              [get list watch]
  pods                                       []                 []              [get list watch]
  teststapps.example.com/status              []                 []              [get patch update]

Role Binding Definition

kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name:         manager-rolebinding
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
  Kind:  ClusterRole
  Name:  manager-role
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  default  system

Please advise what wrong I am doing.

Answer 1

As per the RoleBinding you have associated the ClusterRole manager-role to a ServiceAccount default in the system namespace but from the error the ServiceAccount is default in test-db namespace.

If you change the namespace system to test-db in the RoleBinding it should work. Also make sure to create the RoleBinding in test-db namespace instead of system namespace.