I'm trying to deploy ingress-nginx helm chart to K8s with Jenkins running in container.
Kubernetes version: 1.25.4 and Helm chart: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx
I have created service account for Jenkins to access K8s. And currently by using that service account-access token I can like list pods in all namespaces. But when I try to deploy helm chart, I'm hitting error:
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:devops-tools:jenkins-admin" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
How I should create the serviceAccount so that I could list clusterroles?
kubectl auth can-i get clusterroles --as=system:serviceaccount:devops-tools:jenkins-admin -A
Here is the service service account, cluster role and role binding template that is use:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins-admin
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-admin
namespace: devops-tools
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins-admin
subjects:
- kind: ServiceAccount
name: jenkins-admin
namespace: devops-tools
Create a ServiceAccount with cluster admin role for this purpose like this
Now add a clusterrolebinding for the service account as follows
You can now verify the permission by using the following command
For more detailed information refer to the 5th point in this official k8's docs
You can have a glance at the Blog written by Roy Kim, which contains a similar error reference.