User cannot get resource "services" in API group - Jenkins pipeline EKS deployment

Question

I'm trying to deploy my docker image into the cluster using Jenkins. my Jenkins application is running in an EC2 ubuntu server. Initially, when I tried I was getting this error.

I referred to this stack and added Jenkins users IAM arn to the Kube config file using

kubectl edit configmap aws-auth -n kube-system

After updating the config file when I run my pipeline, I get this new error

My question is,

1. This Jenkins User is an admin user, then why am I getting this access control error?

Please help me with this?

Answer 1

As mentioned in the comment

The service account jenkins doesn't have privileges to list pods kube-system. You would have to create ClusterRoleBinding and ClusterRole to make it work.

You can do that with kubectl create like in above @Gowtham Babu answer.

There is an example from below medium tutorial

Also when rbac is set to true, following have to be done in order to allow jenkins pod access to “kube-system” namespace of the kubernetes cluster.

Create a clusterrolebinding with permissions “cluster-admin”,

kubectl create clusterrolebinding jenkinsrolebinding - -clusterrole=cluster-admin - - group=system:serviceaccounts:jenkins

Additional resources:

• https://medium.com/@pallavisengupta/jenkins-kubernetes-authentication-and-authorization-fa6966356c90
• https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Answer 2

Thanks, @jakub. I was able to solve the error by creating a cluster binding role.

kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]

Answer 3

I got similar issue:

$ kubectl logs demo
panic: certificatesigningrequests.certificates.k8s.io "csr-xx9l9" is forbidden: User "system:serviceaccount:default:default" cannot get resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope

To resolve it I did this by looking at answer from Gowtham Babu posted prior this post:

$ kubectl create clusterrolebinding cesar3 \
  --clusterrole=cluster-admin \
  --user=system:serviceaccount:default:default \
  --group=certificates.k8s.io