kubectl apply only works as admin

Question

kubectl apply only works as admin

laobob opened this issue 5 years ago · 2 comments

As an admin I can easily deploy the examples you provide.
As another user (e.g. ci user) I get the following error:

tzcronjobs.cronjobber.hidde.co "my-dummy-service" is forbidden: User "ci-user" cannot get resource "tzcronjobs" in API group "cronjobber.hidde.co" in the namespace "mynamespace": RBAC: clusterrole.rbac.authorization.k8s.io "mynamespace-letsencrypt-role" not found

Do you have any ideas where to look? Do I have to change the rbac in some way?

Answer 1 · 2020-03-26T13:52:11.000Z

It seems to work if I add the following lines to the rbac.yml (granting explicit permissions to my ci user, not sure if this is the proper way to do it):

- kind: User
name: ci-runner
namespace: mynamespace

(seems that leading spaces get removed by Github's markup renderer)

Answer 2 · 2020-03-27T07:32:29.000Z

Sorry about not responding in a timely manner, this is my weekend project and I have a shortage in available time during weekends lately.

Your CI user is probably a user stripped from any permissions, and you need to add those permissions back so that it is able to operate on the TZCronJob resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: tzcronjob-reader
rules:
- apiGroups: ['cronjobber.hidde.co']
  resources: ['*']
  verbs: ["get", "list", "watch"]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: tzcronjob-writer
rules:
- apiGroups: ['cronjobber.hidde.co']
  resources: ['*']
  verbs: ["update", "patch", "delete"]