S A
Home » DevOps » Kubernetes error: User ‘system:serviceaccount:default:default’ cannot get services in the namespace

Kubernetes error: User ‘system:serviceaccount:default:default’ cannot get services in the namespace

Updated: January 31, 2024 By: Guest Contributor Post a comment
Table Of Contents
1 Understanding the Error
2 Solutions
2.1 Solution 1: Create a Role and RoleBinding
2.2 Solution 2: Create a ClusterRole and ClusterRoleBinding

Understanding the Error

This error message you see in Kubernetes typically indicates that the ‘system:serviceaccount:default:default’ service account does not have the necessary permissions to perform the ‘get’ operation on services within a specific namespace. Kubernetes relies on Role-Based Access Control (RBAC) to define who can do what within a cluster. Without the correct RBAC rules in place, service accounts or users cannot interact with the Kubernetes API as intended.

Solutions

To resolve this error, we need to adjust RBAC permissions. This includes creating appropriate Roles or ClusterRoles and then creating RoleBindings or ClusterRoleBindings to grant the default service account the required permissions.

Solution 1: Create a Role and RoleBinding

Create a new Role that defines the ‘get’ permission for services and then create a RoleBinding to assign this role to the ‘default’ service account in the correct namespace.

  1. Identify the namespace where the permission is needed.
  2. Write a YAML definition for a Role that grants ‘get’ permission on services.
  3. Write a YAML definition for a RoleBinding that binds the Role to the default service account.
  4. Apply these definitions using ‘kubectl apply’.

Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: your-namespace
  name: service-reader
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: service-reader-binding
  namespace: your-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: service-reader
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Notes: This solution strictly limits permissions to the ‘get’ operation on services within a single namespace, providing a secure and focused approach. However, you need to repeat these steps for each namespace where the default service account requires similar access.

Solution 2: Create a ClusterRole and ClusterRoleBinding

Instead of defining permissions for a single namespace, it may be necessary to grant broader permissions across all namespaces in the cluster. This is done by creating a ClusterRole and then using a ClusterRoleBinding to specify that the default service account has ‘get’ access to services across all namespaces.

  1. Create a YAML definition of a ClusterRole for getting services.
  2. Create a YAML definition for a ClusterRoleBinding that assigns the ClusterRole to the default service account.
  3. Apply the definitions with ‘kubectl apply’.

Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: service-reader-global
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: service-reader-binding-global
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: service-reader-global
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Notes: This solution is advantageous for scenarios where a service account requires broad access to ‘get’ services across all namespaces. It is easier to manage but less secure due to the broader permission scope, and should only be used when necessary.

Search tutorials, examples, and resources