Sling Academy
Home/DevOps/Kubernetes error: Service account ‘default’ is forbidden

Kubernetes error: Service account ‘default’ is forbidden

Last updated: January 31, 2024

Table of Contents

  1. Understanding the Service Account Error
  2. Solution 1: Check Service Account Permissions
  3. Solution 2: Reconfigure Service Account
  4. Solution 3: Use ClusterRole and ClusterRoleBinding

Understanding the Service Account Error

The “Service account ‘default’ is forbidden” error typically occurs in Kubernetes when a service account does not have sufficient permissions to perform an operation. This can be due to a lack of Role or RoleBinding associated with the service account, or because the associated roles do not have the right permissions.

Solution 1: Check Service Account Permissions

A common cause of this issue is missing or misconfigured permissions. Ensure the service account has the necessary permissions to access the Kubernetes API.

1. Use kubectl to check the current Roles and RoleBindings applied to the ‘default’ service account: 

kubectl get rolebindings,roles --namespace=YOUR_NAMESPACE

2. If necessary Roles or RoleBindings aren’t present, create them with: 

kubectl create role NAME --verb=get,list,watch,create,update --resource=pods kubectl create rolebinding NAME --role=ROLE_NAME --serviceaccount=YOUR_NAMESPACE:default

Example:

kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create rolebinding default-pod-reader --role=pod-reader --serviceaccount=YOUR_NAMESPACE:default

Notes:

  • Pros: Straightforward solution to increase permissions.
  • Cons: Improper use might grant excessive permissions leading to security risks.

Solution 2: Reconfigure Service Account

If the ‘default’ service account itself is misconfigured or you wish to use a different service account with the correct permissions:

  1. Create a new service account, or identify an existing one that you want to use in place of ‘default’.
  2. Update the pod specification to use the new service account name by adding the serviceAccountName field under spec:

Example:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  containers:
  - name: example-container
    image: example-image
  serviceAccountName: custom-account

Result: Service account name is replaced successfully, and the pod has the requires permissions.

Notes:

  • Pros: Flexibility to use different service accounts as per requirements.
  • Cons: Requires additional configuration and maintenance.

Solution 3: Use ClusterRole and ClusterRoleBinding

For service accounts that need cluster-wide permissions across different namespaces:

  1. Ensure ClusterRoles and ClusterRoleBindings are correctly configured with appropriate permissions using kubectl.
  2. To create a ClusterRole with necessary permissions, you can use:

Example:

kubectl create clusterrole global-pod-reader --verb=get,list,watch --resource=pods
kubectl create clusterrolebinding default-pod-reader --clusterrole=global-pod-reader --serviceaccount=default:default

Expected result: ClusterRole and ClusterRoleBinding should be applied successfully. This grants the ‘default’ service account read access to all pods across all namespaces.

Notes:

  • Pros: Provides required permissions across the entire cluster.
  • Cons: May inadvertently grant too broad access.

Next Article: Kubernetes: How to assign a namespace to a specific pod

Previous Article: Solving Kubernetes error x509: Certificate signed by unknown authority

Series: Kubernetes Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide