Error: pods is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot list pods in the namespace "kube-system"
Hi,
I came up to this error when trying to deploy my application to my Kubernetes cluster (Amazon EKS). The problem arises by the fact that the user being used to execute the commands during the deployment is the default
user on the namespace (each namespace has one afak), and this user doesn't have rights to list pods in kube-system. I fixed the problem by granting the permissions using the RoleBinding as below:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: read-pods
namespace: kube-system
subjects:
- kind: ServiceAccount
name: default
namespace: gitlab-managed-apps
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Save this to a file, like rbac-default-read.yaml
and from your terminal execute: kubectl create -f bot-rbac.yaml
What I can't understand is why the default user needs to list pods in kube-system
namespace, when itself is in gitlab-managed-apps
namespace and I am also calling Helm to create pods into another namespace as below:
helm upgrade --install --namespace=my-namespace --set image=my-image MY_RELEASE ./chart-repo
The pods at the end are created correctly in my-namespace
. Anyone has an idea why it needs to list the pods in kube-system
?
GitLab GitLab Enterprise Edition 11.6.2-ee
GitLab Runner Running in Kubernetes cluster (AWS EKS)