How to create a role to ServiceAccount with context
I want to create a role to service account with context.
My goal is to be able to run kubectl get pods with the context of the service account.
To do it I need:
- Create service account
- Create role
- Create bind role
- Create context
I created a service account:
kubectl create serviceaccount myservice
Role.yaml:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: my-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get"]
BindRole.yaml:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: my-role-binding
namespace: development
subjects:
- kind: ServiceAccount
name: myservice
namespace: development
apiGroup: ""
roleRef:
kind: Role
name: my-role
apiGroup: ""
I want to be able to run kubectl get pods in the context of the service account myservice.
To create context I need something like that:
kubectl config set-context myservice-context --cluster=kubernetes --user=???
But I can't use --user for the service account.
So how can I do it ?
I thought to use kubectl config set-credentials but it just creates a user and I already have the service account.
EDIT:
Here is my try to create a user with the token of the service account and then use it with kubectl --context=myservice-context get pods but it failed:
It appears the cluster maybe missing from your ~/.kube/config file. If it were a permissions issue, I would expect to see either error: You must be logged in to the server (Unauthorized) or Error from server (Forbidden).
The error you are seeing The connection to the server localhost:8080 was refused - did you specify the right host or port? implies that there is no cluster with the name you specified in your kubeconfig.
I'd check that your kubeconfig includes the cluster name kubernetes with certificate-authority-data and respective server.
For example here is me attempting with non-existent service account first with an invalid cluster, then again with a cluster that does exist in my kubeconfig.
Bad cluster name:
kubectl config set-context service-context \
--cluster=doesnotexist \
> --namespace=default \
> --user=service-account
Context "service-context" modified.
➜ ~ kubectl --context=service-context get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Good cluster name:
kubectl config set-context service-context \
--cluster=exists \
--namespace=default \
--user=service-account
Context "service-context" modified.
➜ ~ kubectl --context=service-context get pods
error: You must be logged in to the server (Unauthorized)
The later error would suggest there was something wrong with your user/permissions. The former would suggest the cluster does not exist in your kubeconfig.
EDIT:
Also remember when you use sudo its using /root/.kube/config which may not be what you want
- Conflicting NetworkPolicies in kubernetes
- Why does my GKE cluster not show any events?
- Kubernetes NFS Persistent Volumes - multiple claims on same volume? Claim stuck in pending?
- Encountering connection problems with PostgreSQL when using psycopg2 on a port that has been forwarded
- The connection to the server localhost:8080 was refused
- GKE gateway API: Control open ports on default firewall rule
- How to use Kubernetes secret object stringData to store base64 encoded privateKey
- K8s cluster deployment error: nc: bad address 'xx'
- Ingress path redirection, helm chart
- fluentd with OpenSearch - where does the @timestamp field come from?
- How can I keep a container running on Kubernetes?
- kubectl logs displays only 'API server listening at: [::]:40000' when remote debugging with dlv is enabled - How do I get my logs back?
- failed calling webhook "vingress.elbv2.k8s.aws"
- Kubernetes - Frontend pod can't reach backend pod
- How to access Kubernetes API when using minkube?
- What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
- kube-prometheus-stack issue scraping metrics
- No stdout/stderror output or delayed when running Haskell application in Kubernetes
- Is there an imperative command to create daemonsets in kubernetes?
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- Nginx Ingress Controller - Failed Calling Webhook
- Easily detect deprecated resources on Kubernetes
- How to configure a Kubernetes Multi-Pod Deployment
- Difference between targetPort and port in Kubernetes Service definition
- EKS Fargate workloads unable to resolve DNS names
- Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html"
- Can't install Kubernetes on Vagrant
- How do I force Kubernetes to re-pull an image?
- no endpoints available for service \"kubernetes-dashboard\"
- Cannot install kubernetes helm chart Error: cannot re-use a name that is still in use