Kubernetes Error & Fix: clusterroles.rbac.authorization.k8s.io is forbidden: User clusterUser cannot list resource clusterroles

Issue Background: With an Azure Kubernetes Service deployment (version 1.17.9) in my dev environment, I launch the Kubernetes Dashboard application and I can’t see any Kubernetes resources and I get the following error notification

clusterroles.rbac.authorization.k8s.io is forbidden: User “clusterUser” cannot list resource “clusterroles” in API group “rbac.authorization.k8s.io” at the cluster scope

I am attempting to list resources as the user clusterUser.

Kubernetes Error

Resolution:

kubectl describe clusterrolebinding kubernetes-dashboard

Name:         kubernetes-dashboard
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name                  Namespace
  ----            ----                  ---------
  ServiceAccount  kubernetes-dashboard  kube-system
kubectl describe clusterrolbinding

We see that the clusterUser does not have permissions defined in the cluster role binding

kubectl delete clusterrolebinding kubernetes-dashboard
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard --user=clusterUser
kubectl describe clusterrolebinding kubernetes-dashboard

Now we see the cluster role is included in the clusterrolebinding.

Upon browser reload, we get expected outcome:

Some simplified definitions:
The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding.

  • Role always sets permissions within a particular namespace
  • ClusterRole sets permissions for non-namespaced and cluster-wide resources.
  • Role Binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted.
  • ClusterRoleBinding grants permissions to cluster wide resources

References:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s