Open in app

Sign in

Write

Sign in

RBAC and Spring Cloud Kubernetes

What I learned today — 8 June 2018

Niel de Wet
2 min readJun 8, 2018

Spring Cloud integration with Kubernetes is a natural way of using Spring Cloud in a Kubernetes environment and removes the need for other service discovery tools like Consul. In our experience this is also a very stable solution.

In Kubernetes clusters newer than version 1.8 the RBAC control is stricter and in order for the integration to work your service account needs access to the necessary resources. If one deploys a service without the necessary permission one may see an error message like the following:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/k8s-disco/services. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. services is forbidden: User "system:serviceaccount:k8s-disco:default" cannot list services in the namespace "k8s-disco".

This message is saying that the service account, “default”, in the namespace, “k8s-disco”, doesn’t have the permission to list services in the namespace.

Spring Cloud Kubernetes integration (current at Kubernetes version 1.10) requires access to these resources: services, pods, config maps, endpoints.

To allow a service account access to these one needs to create a role with the necessary permissions and assign it to the account. This is done with a cluster role, or a role, if one only wants it in one namespace, and a role binding, which is specific to a namespace.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: service-discovery-client
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services", "pods", "configmaps", "endpoints"]
  verbs: ["get", "watch", "list"]

Create a role binding to assign the role to the service account:

kubectl create rolebinding default:service-discovery-client --clusterrole service-discovery-client --serviceaccount <namespace>:<service account name>

For example:

kubectl create rolebinding default:service-discovery-client --clusterrole service-discovery-client --serviceaccount k8s-disco:default
Kubernetes
Service Discovery
Rbac

--

--

Niel de Wet

Written by Niel de Wet

168 Followers

Backend developer, South African

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams