Gokboru:
Hi, Experts, Kindly point out my mistake in defining service account access to resources using clutserroles which I could not find.
I am using command below to test if service account has access to create resources like deployment and answers comes no.
eccd@director-0-pp-eccd-1:~> kubectl auth can-i create deployment -n pp-pcg-1 --as ccid-token
no
Below are definitions done.
eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe clusterrole deployment-clusterrole
Name: deployment-clusterrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
daemonsets.apps [] [] [create]
deployments.apps [] [] [create]
statefulsets.apps [] [] [create]
eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe serviceaccounts ccid-token
Name: ccid-token
Namespace: pp-pcg-1
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: ccid-token-token-svgl2
Tokens: ccid-token-token-svgl2
Events: <none>
eccd@director-0-pp-eccd-1:~> kubectl -n pp-pcg-1 describe http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io my-binding
Name: my-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: deployment-clusterrole
Subjects:
Kind Name Namespace
ServiceAccount ccid-token pp-pcg-1
What am i missing here?
I used below 3 commands to create the above entities. I also tried to create above entities using Yaml files with same results.
1- kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,daemonsets,statefulsets
2- kubectl create serviceaccount ccid-token -n pp-pcg-1
3- kubectl create clusterrolebinding myapp-binding --serviceaccount=pp-pcg-1:ccid-token --clusterrole=deployment-clusterrole
I created and tested 3rd step both with clusterrolebinding as well as rolebinding.
Thanks!