Created a service and assigned to namespace and pod.
TOKEN=(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
NS=(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Try to list pods by calling the API server and still get cert issue
curl -H “Authorization: Bearer $TOKEN” https://10.43.0.1/api/v1/namespaces/$NS/pods
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Any ideas ?
Actually - no a cert issue … looks like a RBAC ? issue ?
{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {
},
“status”: “Failure”,
“message”: “pods is forbidden: User “system:serviceaccount:redis-dev:redisappservice” cannot list resource “pods” in API group “” in the namespace “redis-dev””,
“reason”: “Forbidden”,
“details”: {
“kind”: “pods”
},
“code”: 403
=======YAML for SERVICE ACCOUNT ======
apiVersion: v1
kind: ServiceAccount
metadata:
name: redisappservice
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: redis-dev
name: pod-reader
rules:
- apiGroups: [""] # “” indicates the core API group
resources: [“pods”]
verbs: [“get”, “watch”, “list”]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: redis-dev
subjects:
- kind: User
name: redisappservice
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Any thoughts here on RBAC privs ?