I'm trying to give a user access to specific resources using RBAC. I have defined a role and a role-binding, both under the same namespace. Despite the context identifying to use that namespace and user, the user does not have access to the resource.
Role:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: l
rules:
- apiGroups: [v1]
resources: [secrets]
verbs: [get, list, create, update, patch, delete]
- apiGroups: [v1]
resources: [pods]
verbs: [get, watch, list]
Rolebinding:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: l
namespace: default
subjects:
- kind: User
name: l
namespace: default
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: l
apiGroup: rbac.authorization.k8s.io
Context:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xx
server: xx
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: default
user: l
name: l
current-context: l
kind: Config
preferences: {}
users:
- name: l
user:
client-certificate-data: xx
client-key-data: xx
Verifying a lack of permissions:
kubectl get pods --kubeconfig=l/l-k8s-config
Error from server (Forbidden): pods is forbidden: User "l" cannot list resource "pods" in API group "" in the namespace "default"
kubectl get secrets --kubeconfig=l/l-k8s-config
Error from server (Forbidden): secrets is forbidden: User "l" cannot list resource "secrets" in API group "" in the namespace "default"
kubectl auth can-i get secrets -n default --kubeconfig=l/l-k8s-config
no
Edit: As I was running an older version of kubernetes, 1.21.10, my specific issue was solved by setting each apiVersion to apiVersion: [''] instead of [""] as indicated by the accepted solution.
Each resource in Kubernetes has both an api group and an api version. When see see something like:
apiVersion: apps/v1
apps is the group, and v1 is the version.
For core resources like Pods, Secrets, etc, there is no api group, and the version is v1. When you create a role, you need to set the apiGroup to "". Take a look, for example, at the default edit role, which includes:
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
You need to update your role so that it reads:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [get, list, create, update, patch, delete]
- apiGroups: [""]
resources: [pods]
verbs: [get, watch, list]
This is all state clearly in the error message you show in your question:
Error from server (Forbidden): pods is forbidden: User "l" cannot list resource "pods" in API group "" in the namespace "default"