kubernetes pods is forbidden: User "user1" cannot list pods in the namespace "stage"

anish picture anish · Feb 6, 2019 · Viewed 9.3k times · Source

while testing the role based access in the Alibaba container service it's throwing with me an error "pods is forbidden: User "user1" cannot list pods in the namespace "stage"" this is RBAC issue, which i'm not able to figure it where i'm heading it wrong

The RoleBinding Definition

root@kube-master:# kubectl describe rolebinding stage-role-binding  -n stage
Name:         stage-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  staging
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  user2  

The Role Definition

root@kube-master:# kubectl describe role -n stage
Name:         staging
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  deployments             []                 []              [get list watch create update patch delete]
  pods                    []                 []              [get list watch create update patch delete]
  replicasets             []                 []              [get list watch create update patch delete]
  deployments.apps        []                 []              [get list watch create update patch delete]
  pods.apps               []                 []              [get list watch create update patch delete]
  replicasets.apps        []                 []              [get list watch create update patch delete]
  deployments.extensions  []                 []              [get list watch create update patch delete]
  pods.extensions         []                 []              [get list watch create update patch delete]
  replicasets.extensions  []                 []              [get list watch create update patch delete]

One pod is running well in the stage namespace

root@kube-master:# kubectl get pods -n stage 
NAME      READY     STATUS    RESTARTS   AGE
busybox   1/1       Running   0          10m

Defining context

root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.

Testing RBAC

root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"

Not sure from where user1

is coming and throwing the RBAC Error

There is only context is set for user2

root@kube-master:# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
          stage                         kubernetes   user2              stage

This is how i created the user

openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500

kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2

Answer

nightfury1204 picture nightfury1204 · Feb 6, 2019

The RoleBinding is for user user2, not for user1. That's why you are getting RBAC error.

Setting context for user user2 does not mean that kubernetes will identify this user as user2. It depends on the credential you use. If the used credential is of user user-x, then kubernetes will treat it as user-x. The context user is for kubectl to find user credential info. To understand kubernetes authentication see here.

The credential you used there resolved to user user1. So you should update your RoleBinding to user1.

After updated question

For certificate authetication, CN will be the username (ref: here). In your certificate "/CN=user1/O=8gwifi.org", so username will be user1 not user2.