You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So we have two different users: clusteradmin, which have access to everything in kube cluster and defaultadmin, which should have access to all resources in default namespace. Executing PV commands with clusteradmin works fine, when using defaultadmin in default namespace it gives error:
kubectl get pv
Error from server (Forbidden): the server does not allow access to the requested resource (get persistentvolumes)
Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)
What you expected to happen: defaultadmin should have access to PV resources in defined (in my case default) namespace, because cluster-admin clusterrole says following:
I'm having a similar issue, where I have a few namespaces including dev and default. As a "dev user" I can create a bunch of resources in the dev namespace, including a PVC, but creating the PV as the "dev user" in the dev namespace results in the same error as above:
Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)
I can create the PV as the admin user in the default namespace, and then everything is fine.
PVs are cluster-scoped objects. They do not exist in a namespace. To get permission to use the PV API with RBAC you need a ClusterRole bound at the cluster scope with a ClusterRoleBinding.
BUG REPORT
Kubernetes version (use
kubectl version
): Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}Server Version: version.Info{Major:"1", Minor:"5+", GitVersion:"v1.5.1-3+10e41f22e4421c", GitCommit:"10e41f22e4421c9a14e9e6782c6375c199a07a86", GitTreeState:"clean", BuildDate:"2016-12-15T10:06:44Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Environment:
uname -a
): 3.10.0-327.36.3.el7.x86_64What happened: We have enabled RBAC authentication. We have two different rolebindings:
and
So we have two different users: clusteradmin, which have access to everything in kube cluster and defaultadmin, which should have access to all resources in default namespace. Executing PV commands with clusteradmin works fine, when using defaultadmin in default namespace it gives error:
kubectl get pv
Error from server (Forbidden): the server does not allow access to the requested resource (get persistentvolumes)
Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)
What you expected to happen: defaultadmin should have access to PV resources in defined (in my case default) namespace, because cluster-admin clusterrole says following:
The important thing here is resources *, but it feels like PV is not part of wildcard.
How to reproduce it (as minimally and precisely as possible):
The text was updated successfully, but these errors were encountered: