Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
w
witty-engineer-12406
11/30/2022, 11:52 AMHello, I'm currently trying to create a Service Account for a pod which has a restricted set of rules.
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
name: dummy-cr
rules:
- nonResourceURLs: ["/healthz", "/readyz", "/livez"]
verbs: ["get"]
- apiGroups:
- ""
resources: ["pods", "pods/exec"]
verbs: ["get", "delete", "create", "exec", "list"]
- apiGroups:
- ""
resources: ["configmaps"]
verbs: ["create", "delete"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
name: dummy-crb
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: ClusterRole
name: dummy-cr
subjects:
- kind: ServiceAccount
name: dummy-sa
namespace: dummy-demo
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dummy-sa
namespace: dummy-demoI first used this in a local minkube installation, which worked as expected. But after switching to a rke2 cluster I'm just getting 401 Unauthorized ApiExceptions
To test the connection to the control plane, I use :
import os
from kubernetes import client, config
KUBE_CONFIG_FILE = ""
if os.path.isfile(KUBE_CONFIG_FILE):
config.load_kube_config(KUBE_CONFIG_FILE)
# check if serviceaccount exits
elif os.path.exists("/run/secrets/kubernetes.io/serviceaccount"):
print("startup: try loading service account")
config.load_incluster_config()
else:
raise Exception("FAIL: cannot connect to control plain")
result = client.ApiClient().call_api(resource_path="/healthz",
method="GET",
# query_params={"verbose": "true"},
response_type=str)when I use the token from that service account and create a kubeconfig-file and access the api from outside the cluster it works also
ok, I tried now some other request with the service account, in that pod, e.g. list pods... which worked
now is the question why does the call against
/healthz