https://rancher.com/ logo
Title
w

witty-engineer-12406

11/30/2022, 11:52 AM
Hello, I'm currently trying to create a Service Account for a pod which has a restricted set of rules.
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
  name: dummy-cr
rules:
  - nonResourceURLs: ["/healthz", "/readyz", "/livez"]
    verbs: ["get"]
  - apiGroups:
      - ""
    resources: ["pods", "pods/exec"]
    verbs: ["get", "delete", "create", "exec", "list"]
  - apiGroups:
      - ""
    resources: ["configmaps"]
    verbs: ["create", "delete"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
  name: dummy-crb
roleRef:
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  kind: ClusterRole
  name: dummy-cr
subjects:
  - kind: ServiceAccount
    name: dummy-sa
    namespace: dummy-demo
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dummy-sa
  namespace: dummy-demo
I first used this in a local minkube installation, which worked as expected. But after switching to a rke2 cluster I'm just getting 401 Unauthorized ApiExceptions
To test the connection to the control plane, I use :
import os

from kubernetes import client, config

KUBE_CONFIG_FILE = ""

if os.path.isfile(KUBE_CONFIG_FILE):
    config.load_kube_config(KUBE_CONFIG_FILE)
# check if serviceaccount exits
elif os.path.exists("/run/secrets/kubernetes.io/serviceaccount"):
    print("startup: try loading service account")
    config.load_incluster_config()
else:
    raise Exception("FAIL: cannot connect to control plain")

result = client.ApiClient().call_api(resource_path="/healthz",
                                     method="GET",
                                     #  query_params={"verbose": "true"},
                                     response_type=str)
when I use the token from that service account and create a kubeconfig-file and access the api from outside the cluster it works also
ok, I tried now some other request with the service account, in that pod, e.g. list pods... which worked
now is the question why does the call against
/healthz
not work 🤔