kbatch service account permissions #37
Description
After applying the helm chart for the kbatch-proxy, I ran into an issue where the kbatch service account was Forbidden from making the desired Kubernetes API calls.
Version info:
kbatch-0.3.1kbatch-proxy-0.3.1helm-chart
Logs from the kbatch-proxy pod after kbatch job list -o table:
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"serviceaccounts is forbidden: User \"system:serviceaccount:dev:kbatch-kbatch-proxy\" cannot list resource \"serviceaccounts\" in API group \"\" in the namespace \"eskild\"","reason":"Forbidden","details":{"kind":"serviceaccounts"},"code":403}
I was able to get around this by creating a ClusterRole and ClusterRoleBinding for the aforementioned service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kbatch-clusterrole
rules:
- apiGroups: ["batch", ""]
resources: ["*"]
verbs: ["get", "watch", "list", "patch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kbatch-clusterrolebinding
namespace: dev
subjects:
- kind: ServiceAccount
name: kbatch-kbatch-proxy
namespace: dev
apiGroup: ""
roleRef:
kind: ClusterRole
name: kbatch-clusterrole
apiGroup: rbac.authorization.k8s.ioThese permissions will likely need to be tightened or modified but that said, with these permissions I was able to submit and list kbatch jobs.
I guess I have two remaining questions:
- Is it possible that I missed something in the
kbatch/kbatch-proxysetup that might have led me to this issue? - If we believe this is indeed an issue, I'd be happy to submit a PR to the
helm-chartrepo to add theClusterRoleandClusterRoleBinding. Is this something you are amenable to?
Thanks a lot for all your great work :)