Welcome to the Linux Foundation Forum!

Lab 15.2 Step 15: pods is still forbidden

Hi There,

After rolebinding, I am still not able to "get pods", as following is show:

vagrant@master-1:~$ kubectl --context=DevDan-context get pods
Error from server (Forbidden): pods is forbidden: User "DevDan" cannot list resource "pods" in API group "" in the namespace "development"
vagrant@master-1:~$

Following is highlights of what I have done:

  1. At Step 6, I am using /home/vagrant/ for DevDan.crt and DevDan.key
    kubectl config set-credentials DevDan --client-certificate=/home/vagrant/DevDan.crt --client-key=/home/vagrant/DevDan.key

vagrant@master-1:~$ ls -al /home/vagrant/DevDan*
-rw-r--r-- 1 root root 1017 Mar 12 02:12 /home/vagrant/DevDan.crt
-rw-rw-r-- 1 vagrant vagrant 915 Mar 12 02:08 /home/vagrant/DevDan.csr
-rw------- 1 vagrant vagrant 1679 Mar 12 02:04 /home/vagrant/DevDan.key
vagrant@master-1:~$

  1. When looking at "developer" role, it is created:
    vagrant@master-1:~$ kubectl -n development describe role developer
    Name: developer
    Labels:
    Annotations:
    PolicyRule:
    Resources Non-Resource URLs Resource Names Verbs
    --------- ----------------- -------------- -----
    deployments [] [] [list get watch create update patch delete]
    pods [] [] [list get watch create update patch delete]
    replicasets [] [] [list get watch create update patch delete]
    deployments.apps [] [] [list get watch create update patch delete]
    pods.apps [] [] [list get watch create update patch delete]
    replicasets.apps [] [] [list get watch create update patch delete]
    deployments.extensions [] [] [list get watch create update patch delete]
    pods.extensions [] [] [list get watch create update patch delete]
    replicasets.extensions [] [] [list get watch create update patch delete]

  2. when looking at rolebinding:

vagrant@master-1:~$ kubectl -n development describe rolebinding developer-role-binding
Name: developer-role-binding
Labels:
Annotations:
Role:
Kind: Role
Name: developer
Subjects:
Kind Name Namespace
---- ---- ---------
User DevVan
vagrant@master-1:~$

Did I miss any? Help Appreciated.

Regards
Shao

Answers

  • chrispokorni
    chrispokorni Posts: 2,372

    Hi @caishaoping,

    I would revisit the rolebinding definition file, and check for typos.

    Regards,
    -Chris

  • Hi @chrispokorni,

    Indeed, there is typo on the User field in my rolebind.yaml, once corrected, all is so charming, as following.

    vagrant@master-1:~$ kubectl -n development edit rolebinding developer-role-binding
    rolebinding.rbac.authorization.k8s.io/developer-role-binding edited

    vagrant@master-1:~$ kubectl --context=DevDan-context get pods
    No resources found in development namespace.

    Thank you very much
    Shao

Categories

Upcoming Training