In Cluster Config is unable to get pods when deployed in a non-default namespace

Question

When I deploy my golang service to any namespace but the default namespace, the service is unable to retrieve pods on any namespace. The same service deployed on the default namespace works perfectly, using the golang client-go api.

Is this a security issue?

Thanks.

Answer 1

This issue is permission issue. Since you are using rest.InClusterConfig(config) to create client. That means it using pod's service account as credential. So check whether that service account has the permission to get pods in any namespace.

if service account in the pod is not defined, then it will use default service account.

If RBAC is enabled in your cluster, then check the role binding in that namespace, to find out whether your service account has the permission.

# to see the list of role bindings in 'default' namespace
kubectl get rolebindings --namespace default

To see the specific rolebinding

kubectl get rolebindings ROLE-BINDING-NAME --namespace default -o yaml

Also you can create role and role binding to give permission. To know about RBAC role and role binding see here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Answer 2

Following is what I used on a minikube cluster to give the default service account access to crud ops on common resources. The obvious caveat is that you'd need to be careful on a real cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: crud-role
  namespace: default
rules:
- apiGroups: ["", "apps", "batch"]
  resources: [ "deployments", "jobs", "pods", "replicasets", "services" ]
  verbs: [ "create", "get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crud-role-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: crud-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

Answer 3

I was getting a similar error but from a pod using golang client in default namespace:

pods is forbidden: User "system:serviceaccount:default:default" cannot list resource "pods" in API group "" at the cluster scope

Golang code snippet:

if configMode == "IN_CLUSTER" {
    // creates the in-cluster config
    config, err := rest.InClusterConfig()
    if err != nil {
        panic(err.Error())
    }
    return config, err
}

I used the solution provided by @Gazi but with ClusterRole, that will let you access resources cluster-wide. It was modified for get and list only:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: query-role
  namespace: default
rules:
- apiGroups: ["", "apps", "batch"]
  resources: [ "deployments", "jobs", "pods", "replicasets", "services" ]
  verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: query-role-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: query-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

Following links are useful: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/