Amiyanshu Pratihari:
Created one role for dev-user as below and mapping is fine .
apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: “2021-08-21T11:59:40Z”
name: developer
namespace: blue
resourceVersion: “3386”
uid: 2b18d5b1-95ff-4346-82d6-32799095fbef
rules:
- apiGroups:
- “”
resourceNames:
- dark-blue-app
- blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
==================================
But when i am trying to get pods from blue namespace , getting forbidden error .
root@controlplane:~# kubectl get pods -n blue --as=dev-user
Error from server (Forbidden): pods is forbidden: User “dev-user” cannot list resource “pods” in API group “” in the namespace “blue”
Parimelazhagan Vinayagam:
I guess you have restriction with resource Names but trying to list all the pods.
Mohamed Ihsan:
You should remove “resourceNames” section. This is limiting the resources to the names as well.
unnivkn:
hope you already created a valid role binding.
kubectl auth can-i get pods dark-blue-app --namespace=blue kubectl get pods dark-blue-app --namespace=blue kubectl delete pods blue-app --namespace=blue I think - create is not valid with already existing resourceNames: you can comment - create and recreate the role.
I removed the “resourceName” but I am getting an error message.
$ kubectl get pods -n blue --as dev-user
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "blue"
$ kubectl auth can-i get pods -n blue --as dev-user
yes
Just ran across this same gottcha in a lab.
The actual answer is that after fixing the resourceNames in the Role … it grants permission to get just the specified pods. It does not permit a listing of all pods in the namespace.
The command to see the pods is:
kubectl get pod/blue-app pod/dark-blue-app -n blue --as dev-user
It’s a little tricky since kubectl get pods is typically used in the labs.