Search code examples
kubernetesvolumepersistent-volume-claims

How can I provision a volume (part II)?

I am trying to configure RBAC so that I can provision a volume. This is a follow-up of this (How can I properly provision a volume for argo?) thread. Adding a role changed the error from "cannot get resource" to "cannot create resource".

I now think it is a Kubernetes issue, but still do not understand how to solve it.

error:

Error from server (Forbidden): error when creating "/tmp/manifest.yaml": persistentvolumeclaims is forbidden: User "system:serviceaccount:argo:argo" cannot create resource "persistentvolumeclaims" in API group "" in the namespace "argo"

role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workflow
  namespace: argo
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
   - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
Solution

  • RBAC auth rules are configured with K8s resources which can be placed in two groups:

    • Roles and ClusterRole which specify which verbs/actions can be performed on which resources.
    • RoleBindings and ClusterRoleBindings which bind the above roles to specific users, groups or ServiceAccounts.

    In your case you successfully created Roles but what you are missing is the RoleBindings so in short words who can perform the actions that you already specified.

    Role binding can be created using yaml files:

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: workflow-argo
  namespace: argo
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # with "roleRef" you specify the binding to a Role / ClusterRole
  kind: Role 
  name: workflow # here you have to reference the name of your Role
  apiGroup: rbac.authorization.k8s.io

    or with a command:

    kubectl create rolebinding workflow-argo --clusterrole=workflow --user=jane --namespace=argo

    For more check K8s section: Using RBAC Authorization