I have a requirement to get the resource details inside the pod and do some operations depend upon the result. I'm using k8s client python inside the pod. After the role/rolebinding i'm getting forbidden.
i have created Serviceaccount/role/rolebinding as like below.
Can any one help me in this issue.
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
-apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
Listing pods with their IPs:
Traceback (most recent call last):
File "/opt/scripts/bin/PodCont.py", line 792, in <module>
main()
File "/opt/scripts/bin/PodCont.py", line 596, in main
ret = v1.list_pod_for_all_namespaces(watch=False)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16864, in list_pod_for_all_namespaces
return self.list_pod_for_all_namespaces_with_http_info(**kwargs) # noqa: E501
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16981, in list_pod_for_all_namespaces_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
_preload_content, _request_timeout, _host)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
headers=headers)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 05 Apr 2021 09:47:13 GMT', 'Content-Length': '285'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
Answering the question, I think there are some things that should be considered:
Pod
As there is no minimal, reproducible example we can at most assume on how exactly you've configured your setup.
The YAML
manifest that you've included will is not indented correctly. The correct manifest should look like below:
full.yaml
: apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
A side note!
Consider creating more restrictive
Role
for your use case as it's allowing to do everything in thedev
namespace.
Pod
The potential issue here is that you've created a serviceAccount
with a name: myaccount
and the Pod
is trying to authenticate using the deploy-svc-account
. ( User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource
)
Please ensure that the correct serviceAccount
is used to run a Pod
.
Example:
apiVersion: v1
kind: Pod
metadata:
name: sdk
namespace: dev
spec:
serviceAccountName: myaccount # <-- IMPORTANT
containers:
- image: google/cloud-sdk
command:
- sleep
- "infinity"
imagePullPolicy: IfNotPresent
name: sdk
restartPolicy: Always
Assuming that you've used the code from the documentation page of Kubernetes Python API library ( "Listing pods with their IPs:"
):
There are 2 topics to consider here:
Citing the official documentation:
A Role always sets permissions within a particular namespace ; when you create a Role, you have to specify the namespace it belongs in.
The permissions that you've assigned by a Role
and a RoleBinding
are for dev
namespace only. If you would like to have full cluster scope you would need to create a ClusterRole
and a ClusterRoleBinding
.
I encourage you to check the documentation included in the citation as it has some examples to follow and there are many explanations on that matter.
Also, a word about the Python code:
from kubernetes import client, config
# Configs can be set in Configuration class directly or using helper utility
config.load_incluster_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
Focusing on:
ret = v1.list_pod_for_all_namespaces(watch=False)
This code will query for Pods
from all namespaces, that's why you've also receiving the error cannot list resource \"pods\" in API group \"\" at the cluster scope"
.
To list the Pods
from a specific namespace you can use:
ret = v1.list_namespaced_pod(namespace="dev", watch=False)
And by that you should be able to get:
python3 program.py
: Listing pods with their IPs:
10.32.0.15 dev sdk
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.