Search code examples
kubernetesrbac

CronJob Pod with RBAC Role via Serviceaccount Keeps Throwing Forbidden Error

I want to run patching of statefulsets for a specific use case from a Pod via a cronjob. To do so I created the following plan with a custom service account, role and rolebinding to permit the Pod access to the apps api group with the patch verb but I keep running into the following error:

Error from server (Forbidden): statefulsets.apps "test-statefulset" is forbidden: User "system:serviceaccount:test-namespace:test-serviceaccount" cannot get resource "statefulsets" in API group "apps" in the namespace "test-namespace"

my k8s plan:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    env: test
  name: test-serviceaccount
  namespace: test-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    env: test
  name: test-role
  namespace: test-namespace
rules:
- apiGroups:
  - apps/v1
  resourceNames:
  - test-statefulset
  resources:
  - statefulsets
  verbs:
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
  name: test-binding
  namespace: test-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-role
subjects:
- kind: ServiceAccount
  name: test-serviceaccount
  namespace: test-namespace
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  labels:
  name:test-job
  namespace: test-namespace
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    metadata:
      labels:
        env: test
    spec:
      activeDeadlineSeconds: 900
      backoffLimit: 1
      parallelism: 1
      template:
        metadata:
          labels:
            env: test
        spec:
          containers:
          - args:
            - kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":0}}'
            - kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":1}}'
            command:
            - /bin/sh
            - -c
            image: bitnami/kubectl
          restartPolicy: Never
          serviceAccountName: test-serviceaccount
  schedule: '*/5 * * * *'
  startingDeadlineSeconds: 300
  successfulJobsHistoryLimit: 3
  suspend: false

So far to debug:

  1. I have checked if the pod and serviceaccount association worked as expected and it looks like it did. I see the name of secret mounted on the Pod the cronjob starts is correct.

  2. Used a simpler role where apiGroups was "" i.e. all core groups and tried to "get pods" from that pod, same error

role description:

Name:         test-role
Labels:       env=test
Annotations:  <none>
PolicyRule:
  Resources             Non-Resource URLs  Resource Names   Verbs
  ---------             -----------------  --------------   -----
  statefulsets.apps/v1  []                 [test-statefulset]  [patch]

rolebinding description:

Name:         test-binding
Labels:       env=test
Annotations:  <none>
Role:
  Kind:  Role
  Name:  test-role
Subjects:
  Kind            Name                Namespace
  ----            ----                ---------
  ServiceAccount  test-serviceaccount  test-namespace
Solution

  • Stateful sets need two verbs to apply a patch : GET and PATCH. PATCH alone wont work