Search code examples
javaspring-bootkubernetesspring-cloudspring-cloud-kubernetes

Spring Cloud Kubernetes - User "system:serviceaccount:my-namespace:default" cannot list resource "services" in API group "" at the cluster scope

Question regarding the plugin Spring Cloud Kubernetes.

On a very simple main (where there is only one important class):

@EnableScheduling
@EnableAdminServer
@EnableConfigServer
@EnableDiscoveryClient
@SpringBootApplication
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }
}

with a very simple POM:

 <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-kubernetes</artifactId>
        </dependency>

I am getting the following error message on application start up.

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://xxx.168.0.1/api/v1/services?labelSelector=type%3Dactuator%2Cspring-boot%3Dtrue. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. services is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "services" in API group "" at the cluster scope.
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:589) ~[kubernetes-client-4.10.3.jar!/:na]

There are couple of other SO questions regarding this, but none talking about the issue being caused by Spring Cloud Kubernetes. Maybe I should find a way to "try scoping that request to a namespace" only instead of the entire cluster?

May I ask what is the root cause of this issue, and how to solve this please?

Thank you

(entire stack)

 [           main] o.s.boot.SpringApplication               : Application run failed

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://xxx.168.0.1/api/v1/services?labelSelector=type%3Dactuator%2Cspring-boot%3Dtrue. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. services is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "services" in API group "" at the cluster scope.
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:589) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:526) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:492) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:451) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:433) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:166) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:640) ~[kubernetes-client-4.10.3.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:79) ~[kubernetes-client-4.10.3.jar!/:na]
    at org.springframework.cloud.kubernetes.discovery.KubernetesDiscoveryClient.getServices(KubernetesDiscoveryClient.java:286) ~[spring-cloud-kubernetes-discovery-1.1.7.RELEASE.jar!/:1.1.7.RELEASE]
    at org.springframework.cloud.kubernetes.discovery.KubernetesDiscoveryClient.getServices(KubernetesDiscoveryClient.java:282) ~[spring-cloud-kubernetes-discovery-1.1.7.RELEASE.jar!/:1.1.7.RELEASE]
    at org.springframework.cloud.client.discovery.composite.CompositeDiscoveryClient.getServices(CompositeDiscoveryClient.java:67) ~[spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at de.codecentric.boot.admin.server.cloud.discovery.InstanceDiscoveryListener.discover(InstanceDiscoveryListener.java:126) ~[spring-boot-admin-server-cloud-2.3.0.jar!/:2.3.0]
    at de.codecentric.boot.admin.server.cloud.discovery.InstanceDiscoveryListener.onApplicationReady(InstanceDiscoveryListener.java:100) ~[spring-boot-admin-server-cloud-2.3.0.jar!/:2.3.0]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
    at org.springframework.context.event.ApplicationListenerMethodAdapter.doInvoke(ApplicationListenerMethodAdapter.java:305) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.event.ApplicationListenerMethodAdapter.processEvent(ApplicationListenerMethodAdapter.java:190) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.event.ApplicationListenerMethodAdapter.onApplicationEvent(ApplicationListenerMethodAdapter.java:153) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:404) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:361) ~[spring-context-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.boot.context.event.EventPublishingRunListener.running(EventPublishingRunListener.java:108) ~[spring-boot-2.3.5.RELEASE.jar!/:2.3.5.RELEASE]
    at org.springframework.boot.SpringApplicationRunListeners.running(SpringApplicationRunListeners.java:77) ~[spring-boot-2.3.5.RELEASE.jar!/:2.3.5.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:330) ~[spring-boot-2.3.5.RELEASE.jar!/:2.3.5.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) ~[spring-boot-2.3.5.RELEASE.jar!/:2.3.5.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.3.5.RELEASE.jar!/:2.3.5.RELEASE]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~
Solution

  • Seems you're likely using an account that isn't authorised from what I can find online. There's little in the way of a single solution I can identify one, but there is one potentially helpful resource:

    https://stackoverflow.com/a/58701728/7619034

    There were others but SO doesn't like links (to external sites). I can suggest if this does not help at all