Search code examples
kubernetesnamespacesfabric8

io.fabric8.kubernetes.client.KubernetesClientException: Forbidden!Configured service account doesn't have access

Config config = new ConfigBuilder().withMasterUrl("https://c2.eu-de.containers.cloud.ibm.com:78945").build(); try (KubernetesClient client = new DefaultKubernetesClient(config)) {

        client.pods().inNamespace("default").list().getItems().forEach(
                pod -> System.out.println(pod.getMetadata().getName())
        );

    } catch (KubernetesClientException ex) {
        // Handle exception
        ex.printStackTrace();
    }

I am getting io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://c2.eu-de.containers.cloud.ibm.com:78945/api/v1/namespaces. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. namespaces is forbidden: User "system:serviceaccount:badefault" cannot list resource "namespaces" in API group "" at the cluster scope. this errror

Solution

  • From your error looks like your ServiceAccount doesn't have the required access to perform that specific operation. You've posted code for listing Pod objects but your error is complaining about listing Namespace objects.

    User "system:serviceaccount:badefault" cannot list resource "namespaces" in API group "" at the cluster scope

    You can provide Cluster Admin access to your ServiceAccount with this command:

    kubectl create clusterrolebinding default-pod --clusterrole cluster-admin --serviceaccount=<namespace>:badefault

    If you don't want to give it Cluster Admin access, you can define Custom ClusterRole to restrict which apiGroups and resources you want your ServiceAccount to access:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: badefault-cluster-role
rules:
- apiGroups:
  - "" 
  resources: 
  - pods
  - namespaces
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

    You can then define a ClusterRoleBinding to bind this ClusterRole to your ServiceAccount object:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: badefault-cluster-role-binding
subjects:
  - kind: ServiceAccount
    name: badefault
    namespace: default
roleRef:
  kind: ClusterRole
  name: badefault-cluster-role
  apiGroup: rbac.authorization.k8s.io

    With this your ServiceAccount should be able to access pods and namespace objects at Cluster Scope.