Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recipe 10.2 'Listing and viewing Access Control Information' #9

Open
bennybhlin opened this issue Oct 16, 2018 · 8 comments
Open

Recipe 10.2 'Listing and viewing Access Control Information' #9

bennybhlin opened this issue Oct 16, 2018 · 8 comments
Labels
enhancement New feature or request
Milestone
Book Edition 2

Comments

@bennybhlin
Copy link

bennybhlin commented Oct 16, 2018
edited
Loading

I used the 'pod-with-sa.yaml' example here to create serviceaccount sec/myappsa; however, if I just enter the command of sec. 10.2 'kubectl -n sec auth can-i list pods --as=system-serviceaccount:sec:myappsa', I would get an error message below (no RBAC policy matched):

default

Even I'd follower recipe 10.3 to create required role and role binding under namespace 'sec', I still could not verify whether serviceaccount sec/myappsa is capable of get/list pods in namespace 'sec'.

What did I miss?
@bennybhlin
Copy link
Author

bennybhlin commented Oct 16, 2018
edited
Loading

Meanwhile. using Minikube 0.29.0 with '--extra-config=apiserver.Authorization.Mode=RBAC' would hang 'minikube start'.

kubernetes/minikube#2798

But later I used '--extra-config=apiserver.Authorization-Mode=RBAC' instead, the hang disappeared.

@bennybhlin bennybhlin reopened this Oct 16, 2018
@mhausenblas
Copy link
Collaborator

You have a copy past mistake in there (I checked, it's correct in the book): it should be --as=system:serviceaccount:sec:myappsa and not --as=system-serviceaccount:sec:myappsa

@bennybhlin
Copy link
Author

Sorry, but even I paste corrected snippet it still gave me another error, I am sure my role 'podreader' was created under namespace 'sec':

default

@bennybhlin
Copy link
Author

bennybhlin commented Oct 16, 2018 via email

@mhausenblas mhausenblas reopened this Oct 16, 2018
@mhausenblas
Copy link
Collaborator

Well, that's strange, isn't it? :)

What does kubectl version --short give you?

@bennybhlin
Copy link
Author

I got this

default

@mhausenblas
Copy link
Collaborator

So @bennybhlin not sure about this one. I can't reproduce it as it stands. What exactly was your setup? What steps did you do?

@sebgoa
Copy link

sebgoa commented Oct 18, 2018

Did you create the rolebinding as well ?

BTW: you can just paste the text output using triple quotes like this:

this is the text I have in my shell

instead of pasting pictures...

@mhausenblas mhausenblas added the enhancement New feature or request label Oct 20, 2018
@mhausenblas mhausenblas added this to the Book Edition 2 milestone Oct 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Book Edition 2
Development

No branches or pull requests
3 participants
@mhausenblas @sebgoa @bennybhlin