I can't run any helm command without an error saying my user is forbidden. My user is forbidden to the kube-system and the default namespace.
Running something like this: kubectl create serviceaccount --namespace kube-system tiller
results in this error:
Error from server (Forbidden): serviceaccounts is forbidden: User "{my-user}" cannot create resource "serviceaccounts" in API group "" in the namespace "kube-system"
Running this: kubectl get serviceaccount [-n kube-system]
results in this error:
Error from server (Forbidden): serviceaccounts "[-n" is forbidden: User "cn188854" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error from server (Forbidden): serviceaccounts "kube-system]" is forbidden: User "cn188854" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Running this: helm list
results in this error:
Error: pods is forbidden: User "{my-user}" cannot list resource "pods" in API group "" in the namespace "kube-system"
I'm guessing my user doesn't have access to the kube-system namespace, but I wouldn't see why not and I don't know how to give myself access to that namespace. I've reviewed several other posts and questions (such as this one on stackoverflow and this one on github). But I can't attempt any of their solutions because I always get a forbidden user on the helm command.
I'd appreciate any help, and would really appreciate some explanations as to why my user wouldn't have access at all like this.
After a lot of research and asking around, I've discovered that my user literally doesn't have access to the default or the kube-system namespaces
in the cluster. I have to specify the cluster in which I have access.
Access depends on how the cluster you are using is set-up. (My group cluster was set-up this way for security.)
So if anyone else is experiencing this problem, check what cluster you're using and what permissions you have. If you need to specify the namespace
, like I do, you can add this argument to your command: -n={name-of-namespace-you're-using}
For example, I can't run kubectl get pods
because I don't have access to the default namespace
. But if I specify a namespace
I do have access to, like this: kubectl get pods -n={name-of-namespace}
, then I'll be able to see my pods.
Sometimes you might also need to specify the tiller
, usually with by adding an argument like this: --tiller-namespace={name-of-tiller}
Make sure to check the options for the commands on helm docs, or on the kubectl doc so you'll know what arguments to use.