Trying to apply an admin like ClusterRole to my cluster for testing and then tie to a binding with a ServiceAccount. but whenever I apply my service account to my deployment, it breaks my LoadBalancer URL and I can no longer see my webpage. If I remove the serviceAccountName from my deployment the URL http://elb.aws.com works however; if I add my ClusterRole, I get an "ERR_EMPTY_RESPONSE" from the load balancer.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admin-service-account
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
My cluster ROle binding is as follows:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-cluster-role-binding
subjects:
- kind: ServiceAccount
name: admin-service-account
namespace: test
roleRef:
kind: ClusterRole
name: admin-cluster-role
apiGroup: rbac.authorization.k8s.io
My deployment looks like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
labels:
app: test
spec:
replicas: 2
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
serviceAccountName: admin-service-account
containers:
- name: test
image: somerepo/test
Load Balancer config:
apiVersion: v1
kind: Service
metadata:
name: test-service
spec:
type: LoadBalancer
selector:
app: test
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http-test-port
Any ideas?
If the informations mentioned in the manifests are exact, then:
1- Your
ClusterRolename isadmin-service-account, but when you create theClusterRoleBindingit isadmin-cluster-role, this is incoherent. Please use the same name in both places!2- In your deployment manifest file you didn't specify the namespace, so if your default namespace is not
testthen it won't work, make sure the service Accountadmin-service-accountis created in the same namespace as the deployment.