S A
Home » DevOps » Kubernetes error: Service account ‘default’ is forbidden

Kubernetes error: Service account ‘default’ is forbidden

Updated: January 31, 2024 By: Guest Contributor Post a comment
Table Of Contents
1 Understanding the Service Account Error
2 Solution 1: Check Service Account Permissions
3 Solution 2: Reconfigure Service Account
4 Solution 3: Use ClusterRole and ClusterRoleBinding

Understanding the Service Account Error

The “Service account ‘default’ is forbidden” error typically occurs in Kubernetes when a service account does not have sufficient permissions to perform an operation. This can be due to a lack of Role or RoleBinding associated with the service account, or because the associated roles do not have the right permissions.

Solution 1: Check Service Account Permissions

A common cause of this issue is missing or misconfigured permissions. Ensure the service account has the necessary permissions to access the Kubernetes API.

1. Use kubectl to check the current Roles and RoleBindings applied to the ‘default’ service account: 

kubectl get rolebindings,roles --namespace=YOUR_NAMESPACE

2. If necessary Roles or RoleBindings aren’t present, create them with: 

kubectl create role NAME --verb=get,list,watch,create,update --resource=pods kubectl create rolebinding NAME --role=ROLE_NAME --serviceaccount=YOUR_NAMESPACE:default

Example:

kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create rolebinding default-pod-reader --role=pod-reader --serviceaccount=YOUR_NAMESPACE:default

Notes:

  • Pros: Straightforward solution to increase permissions.
  • Cons: Improper use might grant excessive permissions leading to security risks.

Solution 2: Reconfigure Service Account

If the ‘default’ service account itself is misconfigured or you wish to use a different service account with the correct permissions:

  1. Create a new service account, or identify an existing one that you want to use in place of ‘default’.
  2. Update the pod specification to use the new service account name by adding the serviceAccountName field under spec:

Example:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  containers:
  - name: example-container
    image: example-image
  serviceAccountName: custom-account

Result: Service account name is replaced successfully, and the pod has the requires permissions.

Notes:

  • Pros: Flexibility to use different service accounts as per requirements.
  • Cons: Requires additional configuration and maintenance.

Solution 3: Use ClusterRole and ClusterRoleBinding

For service accounts that need cluster-wide permissions across different namespaces:

  1. Ensure ClusterRoles and ClusterRoleBindings are correctly configured with appropriate permissions using kubectl.
  2. To create a ClusterRole with necessary permissions, you can use:

Example:

kubectl create clusterrole global-pod-reader --verb=get,list,watch --resource=pods
kubectl create clusterrolebinding default-pod-reader --clusterrole=global-pod-reader --serviceaccount=default:default

Expected result: ClusterRole and ClusterRoleBinding should be applied successfully. This grants the ‘default’ service account read access to all pods across all namespaces.

Notes:

  • Pros: Provides required permissions across the entire cluster.
  • Cons: May inadvertently grant too broad access.

Search tutorials, examples, and resources