cnukwas
commented
4 years ago Noticed that serviceaccount requires cluster-admin role in order to create a PVC. It's fixed after adding cluster-admin role and cluster role binding.
Closed cnukwas closed 4 years ago
cnukwas
commented
4 years ago Noticed that serviceaccount requires cluster-admin role in order to create a PVC. It's fixed after adding cluster-admin role and cluster role binding.
Hi,
We are testing Shiny-proxy Kubernetes environment and I have given minimal permissions for a custom serviceaccount used by the main container to spin up app containers. Trying to see if the application container is able to create a PVC for configured PV, to be able to store user specific information in NFS share. Getting below error and I believe that's because the serviceaccunt does not have necessary permissions/roles to create the PVC. What roles needs to be granted to the sa in order to fix this issue?
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/sp/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "sp-pod-fsfsfsff-4777-8ea4-b78fb3c0f5ec" is forbidden: user "system:serviceaccount:spsa:spsa" is not an admin and does not have permissions to use host bind mounts for resource . at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:503) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:440) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:406) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:365) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:234) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:735) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:325) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:321) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.lambda$createNew$0(BaseOperation.java:336) at io.fabric8.kubernetes.api.model.DoneablePod.done(DoneablePod.java:26) at eu.openanalytics.containerproxy.backend.kubernetes.KubernetesBackend.startContainer(KubernetesBackend.java:223) at eu.openanalytics.containerproxy.backend.AbstractContainerBackend.doStartProxy(AbstractContainerBackend.java:129) at eu.openanalytics.containerproxy.backend.AbstractContainerBackend.startProxy(AbstractContainerBackend.java:110)