Hello I would like to ask for help with creating a new names Rancher Users #general

Hello, I would like to ask for help with creating ...

flaky-notebook-1290

05/03/2024, 10:35 AM

Hello, I would like to ask for help with creating a new namespace using a Service Account. My idea is to have one namespace (named for example

a-ns

) that contains several resources, mainly Service Account, Role Binding and Role with

create

namespace

permission. This namespace

a-ns

is part of a

project

in Rancher. Then I need to create a new namespace (called

b-ns

) using the Service Account. If I create it with the correct

label

and

annotation

of the project, it will automatically be assigned to the same

project

and I will not lose the permissions to manage it. Hovewer this doesn't work when using a Service Account from a Pod. It olny works using a user account from the Rancher. The following commands was executed from a Pod:

Copy code

❯ kubectl create -f namespace.yaml 
Error from server (Forbidden): error when creating "namespace.yaml": namespaces is forbidden: User "system:serviceaccount:handl-ns:ddiag-sa" cannot create resource "namespaces" in API group "" at the cluster scope: RBAC: <http://clusterrole.rbac.authorization.k8s.io|clusterrole.rbac.authorization.k8s.io> "fleet-content" not found

Copy code

❯ kubectl auth can-i --list
Resources                                       Non-Resource URLs                      Resource Names   Verbs
<http://selfsubjectreviews.authentication.k8s.io|selfsubjectreviews.authentication.k8s.io>        []                                     []               [create]
<http://selfsubjectaccessreviews.authorization.k8s.io|selfsubjectaccessreviews.authorization.k8s.io>   []                                     []               [create]
<http://selfsubjectrulesreviews.authorization.k8s.io|selfsubjectrulesreviews.authorization.k8s.io>    []                                     []               [create]
clusterissuers.*                                []                                     []               [get list watch]
namespaces                                      []                                     []               [get watch list create]
pods                                            []                                     []               [get watch list]
...

Is it possible to create a new namespace using a Service Account with the default RBAC settings or without Cluster Role permissions? Thank you

2 Views

Open in Slack

Previous Next