Can't list the deployment resources using RBAC

0 votes

I've given the x509 authentication for a user in kubernetes, but deployments access doesn't seem to be working fine.

Roles:

# kubectl get rolebindings devops-rb -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: 2018-03-26T13:43:49Z
  name: devops-rb
  namespace: demo
  resourceVersion: "2530329"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/rolebindings/devops-rb
  uid: b6c17e28-30fb-11e8-b530-000d3a11bb2f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: devops

Role Bindings:

# kubectl get roles devops-role -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: 2018-03-26T13:43:49Z
  name: devops-role
  namespace: demo
  resourceVersion: "2538402"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/roles/devops-role
  uid: b6bee0fb-30fb-11e8-b530-000d3a11bb2f
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  - services
  - replicasets
  - persistentvolumeclaims
  - deployments
  verbs:
  - get
  - list
  - watch

Trying to list deployments using user config:

# kubectl --kubeconfig /root/.kube/config-tesla get deploy -n demo
Error from server (Forbidden): deployments.extensions is forbidden: User "tesla" cannot list deployments.extensions in the namespace "demo"

Trying to list deployments using the admin config:

# kubectl  get deploy -n demo
NAME              DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
wordpress         1         1         1            1           13d
wordpress-mysql   1         1         1            1           13d

Trying to list pods using user config:

# kubectl --kubeconfig /root/.kube/config-tesla get po -n demo
NAME                               READY     STATUS    RESTARTS   AGE
ncp-centos-pod                     1/1       Running   0          12d
wordpress-77d578745-vdgr9          1/1       Running   0          13d
wordpress-mysql-58cf8dc9f9-pzvbs   1/1       Running   0          13d

Trying to list pods using admin config:

# kubectl  get pods -n demo
NAME                               READY     STATUS    RESTARTS   AGE
ncp-centos-pod                     1/1       Running   0          12d
wordpress-77d578745-vdgr9          1/1       Running   0          13d
wordpress-mysql-58cf8dc9f9-pzvbs   1/1       Running   0          13d
Dec 28, 2018 in Kubernetes by shubham
• 6,890 points
115 views

1 answer to this question.

0 votes

"extensions" and "apps" API groups cover replicasets and deployments.

try this:

rules:
- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  - services
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
answered Dec 28, 2018 by DareDev
• 6,810 points

Related Questions In Kubernetes

0 votes
1 answer

Modifying a deployment without editing the file manually

You can try kubectl patch to do ...READ MORE

answered Aug 24, 2018 in Kubernetes by ajs3033
• 7,280 points
88 views
0 votes
1 answer

Is it possible to access GCP resources using api without a user interaction.?

yes that's totally possible. You'd have to create ...READ MORE

answered Sep 19, 2018 in Kubernetes by Kalgi
• 41,990 points
44 views
0 votes
1 answer

What's the difference betweena a deployment and a stateful set?

Both the deployments and replication controllers are ...READ MORE

answered Oct 3, 2018 in Kubernetes by ajs3033
• 7,280 points
847 views
0 votes
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17 in Others by anonymous
2,949 views
+3 votes
1 answer
0 votes
1 answer

deleting pods using kubernetes replication controller

The pods which are managed by ReplicationController ...READ MORE

answered Jul 24, 2018 in Kubernetes by DareDev
• 6,810 points
240 views
0 votes
1 answer

Getting the pod's ip address for the container inside of it

You can make sure that the replication ...READ MORE

answered Aug 24, 2018 in Kubernetes by DareDev
• 6,810 points
96 views