问题
I created following objects in k8s cluster.
- Namespace (testpsp)
- Custom ServiceAccount (testuser)
- Role and RoleBindings via. Manifest files
Please see below the yaml files for Role and RoleBinding resources.
$ cat developer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: testpsp
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- create
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- '*'
$ cat developer-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: testpsp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- kind: ServiceAccount
name: testuser
As you can see in above mentioned role manifest file, I have given CREATE permission on Pod resource to testuser Service account. But still I am getting the error.
Error
Error from server (Forbidden): error when creating "hello-pod.yaml": pods is forbidden: User "testuser" cannot create resource "pods" in API group "" in the namespace "testpsp"
Here is the Pod yaml file. Am i missing anything here?
$ cat hello-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: hello-pod
namespace: testpsp
spec:
serviceAccountName: testuser
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.5
ports:
- containerPort: 8080
Here is the command that I'm running to create the Pod.
$ kubectl --as=testuser -n testpsp create -f hello-pod.yaml
回答1:
while troubleshooting this issue, I noticed that instead of directly mentioning the ServiceAccount name in "as" flag in kubectl command, we need to use the following format
system:serviceaccount:<namespace_name>:<serviceaccount_name>
In my case, it will look like this - system:serviceaccount:testpsp:testuser
Afterwards, it started working fine.
来源:https://stackoverflow.com/questions/59384520/getting-403-error-while-trying-to-create-pods-using-custom-service-account