Hi, Experts, Kindly point out my mistake in defining service account access to r . . .

Hi, Experts, Kindly point out my mistake in defining service account access to resources using clutserroles which I could not find.

I am using command below to test if service account has access to create resources like deployment and answers comes no.

eccd@director-0-pp-eccd-1:~> kubectl auth can-i create deployment -n pp-pcg-1 --as ccid-token

Below are definitions done.

eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe clusterrole deployment-clusterrole
Name: deployment-clusterrole
Labels: <none>
Annotations: <none>
Resources Non-Resource URLs Resource Names Verbs

daemonsets.apps [] [] [create]
deployments.apps [] [] [create]
statefulsets.apps [] [] [create]

eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe serviceaccounts ccid-token
Name: ccid-token
Namespace: pp-pcg-1
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: ccid-token-token-svgl2
Tokens: ccid-token-token-svgl2
Events: <none>

eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io my-binding
Name: my-binding
Labels: <none>
Annotations: <none>
Kind: ClusterRole
Name: deployment-clusterrole
Kind Name Namespace

ServiceAccount ccid-token pp-pcg-1

What am i missing here?

I used below 3 commands to create the above entities. I also tried to create above entities using Yaml files with same results.

1- kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,daemonsets,statefulsets

2- kubectl create serviceaccount ccid-token -n pp-pcg-1

3- kubectl create clusterrolebinding myapp-binding --serviceaccount=pp-pcg-1:ccid-token --clusterrole=deployment-clusterrole

I created and tested 3rd step both with clusterrolebinding as well as rolebinding.


Hi @Fernando Jordan Silva , Will you be able to give some comments? I am really stuck here.

Fernando Jordan Silva:
I think that the problem is the way that you are using the SA. Usually the parameter --as is for a user but it also can be used with a SA if you include a namespace in the name. In your case you can try:
kubectl auth can-i create deployment -n pp-pcg-1 --as pp-pcg-1:ccid-token