Sling Academy
Home/DevOps/Kubernetes error: User ‘system:serviceaccount:default:default’ cannot get services in the namespace

Kubernetes error: User ‘system:serviceaccount:default:default’ cannot get services in the namespace

Last updated: January 31, 2024

Table of Contents

  1. Understanding the Error
  2. Solutions
    1. Solution 1: Create a Role and RoleBinding
    2. Solution 2: Create a ClusterRole and ClusterRoleBinding

Understanding the Error

This error message you see in Kubernetes typically indicates that the ‘system:serviceaccount:default:default’ service account does not have the necessary permissions to perform the ‘get’ operation on services within a specific namespace. Kubernetes relies on Role-Based Access Control (RBAC) to define who can do what within a cluster. Without the correct RBAC rules in place, service accounts or users cannot interact with the Kubernetes API as intended.

Solutions

To resolve this error, we need to adjust RBAC permissions. This includes creating appropriate Roles or ClusterRoles and then creating RoleBindings or ClusterRoleBindings to grant the default service account the required permissions.

Solution 1: Create a Role and RoleBinding

Create a new Role that defines the ‘get’ permission for services and then create a RoleBinding to assign this role to the ‘default’ service account in the correct namespace.

  1. Identify the namespace where the permission is needed.
  2. Write a YAML definition for a Role that grants ‘get’ permission on services.
  3. Write a YAML definition for a RoleBinding that binds the Role to the default service account.
  4. Apply these definitions using ‘kubectl apply’.

Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: your-namespace
  name: service-reader
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: service-reader-binding
  namespace: your-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: service-reader
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Notes: This solution strictly limits permissions to the ‘get’ operation on services within a single namespace, providing a secure and focused approach. However, you need to repeat these steps for each namespace where the default service account requires similar access.

Solution 2: Create a ClusterRole and ClusterRoleBinding

Instead of defining permissions for a single namespace, it may be necessary to grant broader permissions across all namespaces in the cluster. This is done by creating a ClusterRole and then using a ClusterRoleBinding to specify that the default service account has ‘get’ access to services across all namespaces.

  1. Create a YAML definition of a ClusterRole for getting services.
  2. Create a YAML definition for a ClusterRoleBinding that assigns the ClusterRole to the default service account.
  3. Apply the definitions with ‘kubectl apply’.

Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: service-reader-global
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: service-reader-binding-global
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: service-reader-global
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Notes: This solution is advantageous for scenarios where a service account requires broad access to ‘get’ services across all namespaces. It is easier to manage but less secure due to the broader permission scope, and should only be used when necessary.

Previous Article: Working with Kubernetes Dashboard: A Practical Guide (with examples)

Series: Kubernetes Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide