debugbashkubernetesMajor
RBAC: Pod cannot access Kubernetes API — ServiceAccount permissions
Viewed 0 times
rbacserviceaccountrolerolebindingclusterrole403 forbiddenpermissionskubectl auth can-iapi access
Error Messages
Problem
An application running inside a pod that calls the Kubernetes API (e.g. to list pods, update ConfigMaps) receives 403 Forbidden errors.
Solution
Create a ServiceAccount, bind it to a Role with the needed permissions, and assign it to the pod.
Then reference the ServiceAccount in the pod spec:
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
namespace: default
rules:
- apiGroups: [""] # core API group
resources: ["pods", "configmaps"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: app-sa
namespace: default
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.ioThen reference the ServiceAccount in the pod spec:
serviceAccountName: app-sa.Why
Kubernetes uses RBAC to control API access. Pods run as the
default ServiceAccount which has no permissions beyond basic self-inspection. Applications that need to interact with the API must be explicitly granted permissions via Role + RoleBinding (namespace-scoped) or ClusterRole + ClusterRoleBinding (cluster-scoped).Gotchas
- Use Role + RoleBinding for namespace-scoped access; ClusterRole + ClusterRoleBinding for cluster-wide access
- The apiGroups field uses empty string for core resources (pods, services, configmaps) and the group name for extensions (apps, batch, etc.)
- Debug permissions with:
kubectl auth can-i list pods --as=system:serviceaccount:default:app-sa - Avoid using the
cluster-adminClusterRole for application ServiceAccounts — grant minimum required permissions
Code Snippets
Verify ServiceAccount permissions using kubectl auth can-i
# Test what a ServiceAccount can do
kubectl auth can-i list pods \
--as=system:serviceaccount:default:app-sa -n default
# List all permissions for a ServiceAccount
kubectl auth can-i --list \
--as=system:serviceaccount:default:app-sa -n defaultContext
Applications that need to interact with the Kubernetes API from within a pod
Revisions (0)
No revisions yet.