kubernetesrbac

How to grant permissions across a whole Kubernetes cluster?

I have problem

kubectl get all

shows

Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "replicationcontrollers" in API group "" at the cluster scope
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "daemonsets" in API group "apps" at the cluster scope
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "deployments" in API group "apps" at the cluster scope
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "replicasets" in API group "apps" at the cluster scope
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "statefulsets" in API group "apps" at the cluster scope
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "cronjobs" in API group "batch" at the cluster scope
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:default:svcaccount" cannot list resource "jobs" in API group "batch" at the cluster scope

I applied role and rolebindings but still get the same. I am looking at example from offical docs

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io

How should I change in case of svcaccount?

Solution

  • This clusterrole will give you access to the whole cluster :

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

    You can then reference it from a clusterrolebinding like this :

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io

    And in case you want to attach it to a service account rather than the group manager :

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: my-service-account
  namespace: my-namespace