49

Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:default:default" cannot get services in the namespace "mycomp-services-process"

For the above issue I have created "mycomp-service-process" namespace and checked the issue.

But it shows again message like this:

Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:mycomp-services-process:default" cannot get services in the namespace "mycomp-services-process"

whites11
  • 12,008
  • 3
  • 36
  • 53
Murali
  • 493
  • 1
  • 4
  • 5

3 Answers3

80

Creating a namespace won't, of course, solve the issue, as that is not the problem at all.

In the first error the issue is that serviceaccount default in default namespace can not get services because it does not have access to list/get services. So what you need to do is assign a role to that user using clusterrolebinding.

Following the set of minimum privileges, you can first create a role which has access to list services:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services"]
  verbs: ["get", "watch", "list"]

What above snippet does is create a clusterrole which can list, get and watch services. (You will have to create a yaml file and apply above specs)

Now we can use this clusterrole to create a clusterrolebinding:

kubectl create clusterrolebinding service-reader-pod \
  --clusterrole=service-reader  \
  --serviceaccount=default:default

In above command the service-reader-pod is name of clusterrolebinding and it is assigning the service-reader clusterrole to default serviceaccount in default namespace. Similar steps can be followed for the second error you are facing.

In this case I created clusterrole and clusterrolebinding but you might want to create a role and rolebinding instead. You can check the documentation in detail here

Jordan Liggitt
  • 16,933
  • 2
  • 56
  • 44
Vishal Biyani
  • 4,297
  • 28
  • 55
  • 1
    Thank you for your answer. I am able to proceed after applying above solutions. – Murali Jan 01 '18 at 09:10
  • 4
    I think the namespace should be removed from the ClusterRole. According to the docs ClusterRoles are not namespaced: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole – Niel de Wet Jun 08 '18 at 09:37
  • This solved for me : https://kubecloud.io/kubernetes-dashboard-on-arm-with-rbac-61309310a640 – Subha Chandra May 14 '20 at 15:05
32

This is only for non prod clusters

You should bind service account system:serviceaccount:default:default (which is the default account bound to Pod) with role cluster-admin, just create a yaml (named like fabric8-rbac.yaml) with following contents:

# NOTE: The service account `default:default` already exists in k8s cluster.
# You can create a new account following like this:
#---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
#  name: <new-account-name>
#  namespace: <namespace>

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: fabric8-rbac
subjects:
  - kind: ServiceAccount
    # Reference to upper's `metadata.name`
    name: default
    # Reference to upper's `metadata.namespace`
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Then, apply it by running kubectl apply -f fabric8-rbac.yaml.

If you want unbind them, just run kubectl delete -f fabric8-rbac.yaml.

Yash Jagdale
  • 1,446
  • 14
  • 17
  • 21
    While you're not going to get "access denied" error messages after doing this, I would **strongly** suggest not assigning the `cluster-admin` role to all pods in your Kubernetes cluster. If someone manages, for whatever reason, to find a security issue in one of your applications that gives them local command execution, you've just handed them an admin account for your entire cluster. – Tobias Gies Apr 17 '19 at 12:23
  • There is a deprecation warning on apiVersion `rbac.authorization.k8s.io/v1beta1`, instead use `rbac.authorization.k8s.io/v1` and warning would go away. – user3640709 Jan 25 '21 at 05:34
  • 1
    cluster-admin role must not be assigned to all pods in the kubernetes cluster. This generates high level vulnerability for your organization. This answer should not be flag as helpful... – Daniel Hornik Jun 30 '21 at 10:33
0

Just to add.

This can also occur when you are redeploying an existing application to the wrong Kubernetes cluster that are similar.

Ensure you check to be sure that the Kubernetes cluster you're deploying to is the correct cluster.

Promise Preston
  • 24,334
  • 12
  • 145
  • 143