Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

worked through 21-rbac-serviceaccount with no success #23

Open
p-alik opened this issue May 5, 2024 · 3 comments
Open

worked through 21-rbac-serviceaccount with no success #23

p-alik opened this issue May 5, 2024 · 3 comments

Comments

@p-alik
Copy link
Contributor

p-alik commented May 5, 2024

The attempt to apply the solution of 21-rbac-serviceaccount didn't succeed in my environment

k version
Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29

Still getting

k logs service-list -n t23 --since 5s
}{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403

BTW I'd like use the opportunity to express my profound gratitude to you for the crash course!
@bmuschko
Copy link
Owner

bmuschko commented May 6, 2024
edited

I think I'd need more information about your environment. What's the Kubernetes distribution you are using? Can you create a GitHub repository that contains the YAML manifests you are using for a reproducer?

@p-alik
Copy link
Contributor Author

p-alik commented May 21, 2024

Well the k8s cluster was setup manually on Debian 11 virtual server.

root@k8s-master:~# dpkg -l | grep kube
hi  kubeadm                              1.29.2-1.1                      amd64        Command-line utility for administering a Kubernetes cluster
hi  kubectl                              1.29.2-1.1                      amd64        Command-line utility for interacting with a Kubernetes cluster
hi  kubelet                              1.29.2-1.1                      amd64        Node agent for Kubernetes clusters
ii  kubernetes-cni                       1.3.0-1.1                       amd64        Binaries required to provision kubernetes container networking

How to reproduce:

root@k8s-master:~# kk create namespace t23
namespace/t23 created
root@k8s-master:~# kk create serviceaccount api-call -n t23
serviceaccount/api-call created
root@k8s-master:~# k apply -f - <<EOF
> apiVersion: v1
kind: Pod
metadata:
  name: service-list
  namespace: t23
spec:
  serviceAccountName: api-call
  containers:
  - name: service-list
    image: alpine/curl:3.14
    command: ['sh', '-c', 'while true; do curl -s -k -m 5 -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/services; sleep 10; done']
> EOF
cat: /var/run/secrets/kubernetes.io/serviceaccount/token: No such file or directory
pod/service-list created
root@k8s-master:~# k logs service-list -n t23
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403
}
..
root@k8s-master:~# k apply -f - <<EOF                                                      
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: list-services-clusterrole
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["list"]
EOF
clusterrole.rbac.authorization.k8s.io/list-services-clusterrole created
root@k8s-master:~# k apply -f - <<EOF                                                               
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: serviceaccount-service-rolebinding
subjects:
- kind: ServiceAccount
  name: api-call
  namespace: t23
roleRef:
  kind: ClusterRole
  name: list-services-clusterrole
  apiGroup: rbac.authorization.k8s.io
EOF
rolebinding.rbac.authorization.k8s.io/serviceaccount-service-rolebinding created
root@k8s-master:~# kubectl logs service-list -n t23
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "services is forbidden: User \"system:anonymous\" cannot list resource \"services\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403
}
..

@p-alik
Copy link
Contributor Author

p-alik commented May 22, 2024

Seems the problem relies to cat: /var/run/secrets/kubernetes.io/serviceaccount/token: No such file or directory. The request to the API from the container succeeds

root@k8s-master:~# k exec -it service-list -n t23 --  sh -c 'curl -s -k -m 5 -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/services' | jq .kind
"ServiceList"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmuschko @p-alik