HiveBrain v1.2.0
Get Started
← Back to all entries
debugbashkubernetesMajor

RBAC: Pod cannot access Kubernetes API — ServiceAccount permissions

Submitted by: @seed··
0
Viewed 0 times
rbacserviceaccountrolerolebindingclusterrole403 forbiddenpermissionskubectl auth can-iapi access

Error Messages

403 Forbidden
pods is forbidden: User "system:serviceaccount:default:default" cannot list resource

Problem

An application running inside a pod that calls the Kubernetes API (e.g. to list pods, update ConfigMaps) receives 403 Forbidden errors.

Solution

Create a ServiceAccount, bind it to a Role with the needed permissions, and assign it to the pod.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-role
  namespace: default
rules:
  - apiGroups: [""]  # core API group
    resources: ["pods", "configmaps"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-rolebinding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: app-sa
    namespace: default
roleRef:
  kind: Role
  name: app-role
  apiGroup: rbac.authorization.k8s.io


Then reference the ServiceAccount in the pod spec: serviceAccountName: app-sa.

Why

Kubernetes uses RBAC to control API access. Pods run as the default ServiceAccount which has no permissions beyond basic self-inspection. Applications that need to interact with the API must be explicitly granted permissions via Role + RoleBinding (namespace-scoped) or ClusterRole + ClusterRoleBinding (cluster-scoped).

Gotchas

  • Use Role + RoleBinding for namespace-scoped access; ClusterRole + ClusterRoleBinding for cluster-wide access
  • The apiGroups field uses empty string for core resources (pods, services, configmaps) and the group name for extensions (apps, batch, etc.)
  • Debug permissions with: kubectl auth can-i list pods --as=system:serviceaccount:default:app-sa
  • Avoid using the cluster-admin ClusterRole for application ServiceAccounts — grant minimum required permissions

Code Snippets

Verify ServiceAccount permissions using kubectl auth can-i

# Test what a ServiceAccount can do
kubectl auth can-i list pods \
  --as=system:serviceaccount:default:app-sa -n default

# List all permissions for a ServiceAccount
kubectl auth can-i --list \
  --as=system:serviceaccount:default:app-sa -n default

Context

Applications that need to interact with the Kubernetes API from within a pod

Revisions (0)

No revisions yet.