Update configmap from pod

Hey, currently I have scheduled a pod on my Kubernetes cluster which has a go script and I am using client-go APIs to interact with the configmaps from inside my pod.
I have created Role and Rolebinding for that purpose.


apiVersion: rbac.authorization.k8s.io/v1
kind: Role
  namespace: default
  name: configmap-updater
- apiGroups: ["*"]
  resources: ["configmaps"]
  resourceNames: ["target-configmap"]
  verbs: ["get", "create", "update", "delete"]


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: demo-rolebinding
  namespace: default
    app: tools-rbac1
- kind: Group
  name: system:service
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: configmap-updater
  apiGroup: ""

Currently I am able to GET the configmap but I am unable to UPDATE it.
So is it even possible to update configmaps from pods. If yes, then what part of it I am missing.

Cluster information:

Kubernetes version: v1.21.1
Host OS: RHEL 8.1

Have you tried adding the patch verb?

  verbs: ["get", "create", "update", "patch", "delete"]

After updating a role, if the changes are not working immediately, delete the pod that the service account is attached to and recreate it. Being that this is a security feature, I assume that changes to this should be transient, but while developing stuff, I’ve experienced what I believe to be non transient results. I’m unsure on this though as I’ve not had time to replicate what I observed yet.

On another note, I would recommend removing delete if you don’t plan on actually deleting the configmap via the application.

Hey @protosam, thank you for the help.
I tried what you suggested but it did not work out.
But I have solved the problem. I created a cluster rolebinding using kubectl command.

kubectl create clusterrolebinding default-admin --clusterrole=admin --serviceaccount=default:default
kubectl run --rm -i demo --image=myimage

Using this allowed me to update a configMap using client-go APIs even from inside a pod that is scheduled on my kubernetes cluster.

Interesting, is the configmap you’re modifying in a different namespace than the pod that’s trying to modify it?

No, the pod and the configmap both are in the same namespace in my case.