kubernetic
kubernetic copied to clipboard
Published
20 hours ago •
harbur
harbur
Cannot watch some ressources while kubectl auth says yes
Hi, I'am using kubernetic 2.0.16 and connecting to a new cluster created with KOPS on AWS, I have an error message on some ressources (deployment, nodes, volumes ..etc) :
Cannot watch Nodes at namespace default
but if I try :
kubectl auth can-i watch -n default nodes
The response is yes ...
The cluster is configured to use rbac and I'am using certificate creds to connect to it.
I'm trying to replicate the issue, do you know what are the privileges that the user you're using to connect to has?
If you have a RoleBinding or ClusterRoleBinding to a specific Role or ClusterRole you can review the privileges with the following cmd:
$ kubectl describe role blue-team -n blue
Name: blue-team
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get list watch create update patch delete]
pods [] [] [get list watch create update patch delete]
replicasets [] [] [get list watch create update patch delete]
deployments.apps [] [] [get list watch create update patch delete]
pods.apps [] [] [get list watch create update patch delete]
replicasets.apps [] [] [get list watch create update patch delete]
deployments.extensions [] [] [get list watch create update patch delete]
pods.extensions [] [] [get list watch create update patch delete]
replicasets.extensions [] [] [get list watch create update patch delete]
Note that if the current user doesn't have privileges to review the Roles, a higher-level user can only review them.
Ok, here is the mapping I have for my Role "edit" :
Name: edit
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [create delete deletecollection get list patch update watch]
endpoints [] [] [create delete deletecollection get list patch update watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces [] [] [get list watch]
namespaces/status [] [] [get list watch]
persistentvolumeclaims [] [] [create delete deletecollection get list patch update watch]
pods [] [] [create delete deletecollection get list patch update watch]
pods/attach [] [] [create delete deletecollection get list patch update watch]
pods/exec [] [] [create delete deletecollection get list patch update watch]
pods/log [] [] [get list watch]
pods/portforward [] [] [create delete deletecollection get list patch update watch]
pods/proxy [] [] [create delete deletecollection get list patch update watch]
pods/status [] [] [get list watch]
replicationcontrollers [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers/scale [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
secrets [] [] [create delete deletecollection get list patch update watch]
serviceaccounts [] [] [create delete deletecollection get list patch update watch impersonate]
services [] [] [create delete deletecollection get list patch update watch]
services/proxy [] [] [create delete deletecollection get list patch update watch]
daemonsets.apps [] [] [create delete deletecollection get list patch update watch]
deployments.apps [] [] [create delete deletecollection get list patch update watch]
deployments.apps/rollback [] [] [create delete deletecollection get list patch update watch]
deployments.apps/scale [] [] [create delete deletecollection get list patch update watch]
replicasets.apps [] [] [create delete deletecollection get list patch update watch]
replicasets.apps/scale [] [] [create delete deletecollection get list patch update watch]
statefulsets.apps [] [] [create delete deletecollection get list patch update watch]
horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection get list patch update watch]
cronjobs.batch [] [] [create delete deletecollection get list patch update watch]
jobs.batch [] [] [create delete deletecollection get list patch update watch]
daemonsets.extensions [] [] [create delete deletecollection get list patch update watch]
deployments.extensions [] [] [create delete deletecollection get list patch update watch]
deployments.extensions/rollback [] [] [create delete deletecollection get list patch update watch]
deployments.extensions/scale [] [] [create delete deletecollection get list patch update watch]
ingresses.extensions [] [] [create delete deletecollection get list patch update watch]
replicasets.extensions [] [] [create delete deletecollection get list patch update watch]
replicasets.extensions/scale [] [] [create delete deletecollection get list patch update watch]
replicationcontrollers.extensions/scale [] [] [create delete deletecollection get list patch update watch]
poddisruptionbudgets.policy [] [] [create delete deletecollection get list patch update watch]
hope it helps