nsinjector icon indicating copy to clipboard operation
nsinjector copied to clipboard

Published 20 hours ago verified publisher icon blakelead

Cannot create resource "roles" in API group "rbac.authorization.k8s.io"

Open icicimov opened this issue 2 years ago • 2 comments

Seems some rbac permissions are missing:

level=error msg="Key 'injector1' processing failed: roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:nsinjector-controller:nsinjector-controller\" cannot create resource \"roles\" in API group \"rbac.authorization.k8s.io\" in the namespace \"my-test-ns\""

icicimov avatar Oct 28 '22 06:10 icicimov

Looks like i have the same.. nsinjector-controller service account dont have the right roles/clusterrole to create resources.

rahul-chr avatar Mar 17 '23 13:03 rahul-chr

I had a similar problem - I'm guessing you're using the clusterInternal permission scheme instead of specifying a kube config file?

I had to add this to the clusterrole.yaml file in the helm chart template:

- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]

Then it started working. (Although I guess you'd need to change the resources line to include "roles" as well.

The default [""] bit for the apiGroups also failed: I think you have to specify the rbac one explicitly.

AKS/K8S v1.25

dvpierce avatar Jun 12 '23 17:06 dvpierce