84 questions
0
votes
0
answers
23
views
Using Federated Credentials Flow with Webclient in Springboot [closed]
What we have and want:
Currently we make use of the standard clientCredentials flow like it's explained here: https://www.baeldung.com/spring-webclient-oauth2#1-client-and-provider-configurations
We ...
2
votes
0
answers
61
views
Kubernetes Java Client Unable to Find Config When Running as Docker Container
I have a Java service that uses the Fabric8 Kubernetes Java Client to connect to a Kubernetes cluster. When I run the service locally using java -jar, it works perfectly. However, when I build a ...
1
vote
0
answers
59
views
fake client gives error using CreateToken operation for ServiceAccounts
I have the below code in a test function
import (
"k8s.io/client-go/kubernetes/fake"
)
// Mock Kubernetes client
k8sClient := fake.NewClientset()
// Mock service account
...
- 95
0
votes
1
answer
2k
views
Setting Up Backstage with Guest Authentication on a Kubernetes Cluster
I'm working on deploying Backstage on a Kubernetes cluster using the Helm chart and looking to enable guest user access for development purposes. However, I'm encountering a "501 Not Implemented&...
- 653
0
votes
1
answer
202
views
AWS Secret & K8s: container with envVar referencing secret.secretName="secret" is not allowed because service account does not reference that secret
I'm attempting to retrieve a secret from AWS Secret Manager within my EKS cluster. I've followed the steps outlined in the eksworkshop_secret_manager. However, after the secret is written to the pod ...
- 53
0
votes
0
answers
369
views
Getting service acount credential in GKE
I have GKE cluster that uses a custom service-account. I'm using it to access Google API (Gmail API). But, when I use
final List<String> SCOPES = List.of(GmailScopes.GMAIL_READONLY);
...
- 1,072
0
votes
1
answer
2k
views
Scaling Up/Down kubernetes deployments using only cronjobs and Service Accounts
I've a workload that requires some deployments to be scaled up/down at certain hours of the day. Since the load is predictable, I didn't want to spend much time setting up HPA because it's a total ...
- 1
1
vote
1
answer
930
views
Can Kubernetes RoleBinding have subjects in a different namespace?
RoleBinding subjects do have a namespace field, but when i create a RoleBinding in one namespace with subject in another, it doesn't seem it works.
Full example:
apiVersion: v1
kind: Namespace
...
- 2,997
1
vote
0
answers
69
views
Issue with Assuming service account role from the docker container running in EKS Pod
Currently we are running EKS cluster in AWS. We have created service account and annotated with IAM role.
Current scenario:
We are running a python script using Boto3 inside a docker container within ...
- 464
-1
votes
1
answer
212
views
GCP Terraform K8s issue : Required 'compute.instances.create' permission for 'projects/*/gke-prod-app-cluster-default-pool* [closed]
i have a problem when i try to create a cluster on GCP through terraform. It is a permission error on the default nood.
So i have my project, and i use a service account host with owner rights.
I have ...
- 7
3
votes
1
answer
3k
views
Can we annotate multiple GSA to Kubernetes Service Account (GCP)
I am fairly new to cloud and GCP.
So, we have an application which uses pub sub, cloud storage, cloud sql and secret manager. This is deployed using helm chart.
All services uses different service ...
- 31
0
votes
1
answer
208
views
How to enable AWS S3 Caching on Please Build in a Pod on AWS EKS Kubernetes cluster?
I'm using Please Build to build different modules of my app in a Jenkins job that runs inside an AWS EKS Kubernetes cluster on a linux AWS EC2 instance in a pod using jenkins/slave.jar in a debian ...
- 5,920
0
votes
2
answers
606
views
EKS - Kubernetes - nginx-ingress-controller-default-ingress-controller - open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
we have an EKS cluster on 1.21.
There is an nginx-ingress-controller-default-ingress-controller deployed with a Classic Load Balancer.
Suddenly, its pods are crashing with following errors.
I0815 04:...
- 336
3
votes
1
answer
514
views
What is the difference between google_project_iam and google_service_account_iam?
Regarding these two Terraform GCP resources : google_project_iam and google_service_account_iam
I can't fully grasp the differences and use cases were you should use one over the other. I might have ...
- 81
9
votes
1
answer
5k
views
Can we associate K8s serviceAccount with multiple aws IAM role
is it possible in eks to associate serviceAccount with multiple aws IAM roles? am I allowed to provide multiple arns in service account annotations?
eg
apiVersion: v1
kind: ServiceAccount
metadata:
...
- 149
-1
votes
1
answer
3k
views
ERROR kubebootstrap: WORKER PANICKED: ingresses.networking.k8s.io is forbidden: User cannot list resource "ingresses" in API group "networking.k8s.io"
I am currently encountering an issue with my Amazon EKS cluster that hosts Lucidworks Fusion. To start with I had an Amazon EKS v1.18 cluster that I then upgraded to v1.19 which all went well. I also ...
- 846
1
vote
1
answer
267
views
MinIO SDK support service account connectivity in AWS EKS
I am trying to connect MinIO GO SDK with AWS EKS service account to work directly with AWS S3 but without any luck. I have tested it with AWS SDK and it works but doesn't work with the MinIO SDK. ...
- 252
0
votes
1
answer
4k
views
EKS Service Account Annotation
I have a service account, and this needs access to multiple aws services. Is there any way we could specify multiple role an annotations, or do we expect to create a generic role and give access to ...
- 405
1
vote
0
answers
474
views
How can I programmatically connect to multiple K8S clusters created with the eksctl command in AWS EKS?
I want to push some jobs.yml script to multiple Kubernetes clusters programmatically, connection details will be provided by customers and we can store it in encrypted format in DB or maybe S3.
I'm ...
- 400
-1
votes
1
answer
225
views
case missing gke-spot label is it spot=false?
I need to know id node is spot or not. I found I can collect this data from node labels but case inside node details there is no GKE key label:
cloud.google.com/gke-spot: "true" / "...
- 845
0
votes
0
answers
178
views
cannot access the statsd metrics endpoint from withing its pod calling localhost
I am creating a local cluster as below:
# kind-cluster.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry....
- 2,565
0
votes
1
answer
372
views
Kubernetes SAT token as environment variable
I have created a K8 service account token using following command;
kubectl create serviceaccount test-sat-account
I have deployment yaml for a dotnet service and I am importing the above token in a ...
- 185
0
votes
1
answer
2k
views
How to get secrets from AWS Secrets manager in EKS using CSI driver
Hi I am working on a POC, where I have to bring Secrets form AWS secrets manager in a EKS Pod, But I am getting this error.
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc ...
1
vote
1
answer
2k
views
Error looking up service account when using role binding
I have a helm chart that I have created.
In this chart, I have a template for a Job with a post-install hook (code below), custom resource, and config map.
apiVersion: batch/v1
kind: Job
metadata:
...
- 422
1
vote
1
answer
1k
views
Deploy ServiceAccount, ClusterRole & ClusterRoleBinding failure
My NodeJS microservice is deployed to k8s cluster.
I would like this microservice to access the k8s API server. For that, I guess I need to create a ServiceAccount for it. So I did this:
apiVersion: ...
- 6,139
5
votes
3
answers
7k
views
How to configure a ClusterRole for namespaced resources
I want to allow a ServiceAccount in namespace A to access a resource in namespace B.
To achieve this I connect the ServiceAccount to a ClusterRole via a ClusterRoleBinding.
The documentation says I ...
- 2,138
4
votes
1
answer
2k
views
How to use kubernetes service account with golang?
Actually, I use kubernetes service accounts mostly with NodeJS, and this works fine, but I have this one service made in Go and I can't seem to make it work with service accounts (I know that the ...
2
votes
0
answers
3k
views
Confluent Schema Registry on Strimzi - pods not getting created
I've Strimzi Kafka installed on GKE(GCP), and i'm trying to install Confluent Schema registry referring link -
https://github.com/lsst-sqre/strimzi-registry-operator
Steps followed:
Installed ...
- 1,111
0
votes
1
answer
899
views
Create secret for my service account but the created service account always show me 0 secret associated with it
My NodeJS microservice is deployed to k8s cluster.
I am running this with my local Docker Desktop k8s environment.
I would like this microservice to access the k8s API server. For that, I guess I ...
- 6,139
0
votes
1
answer
3k
views
Resolving AssumeRoleWithWebIdentity
Following this guide, I cannot resolve the final fifth step, which fails with:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:...
0
votes
1
answer
1k
views
Getting error You must be logged in to the server (the server has asked for the client to provide credentials)
I am getting the following error when trying to use the kubectl command:-
error: You must be logged in to the server (the server has asked for the client to provide credentials)
i am using the eks and ...
- 411
1
vote
1
answer
447
views
Getting error while deploying istio version 1.16, pods are getting crashed
I am deploying to version 1.16 but the pods are getting crashed below are the pod's error.
istiod pod:
2023-03-21T11:58:09.768255Z info kube controller "extensions.istio.io/v1alpha1/WasmPlugin&...
2
votes
0
answers
560
views
Changing Role permissions for an active (in-use) ServiceAccount in Kubernetes
Suppose a simple RBAC setup in Kubernetes (assuming default namespace for simplicity):
ServiceAccount + Role + RoleBinding
The role has allows to get and list verbs for pods and pods/log
a Pod using ...
- 761
3
votes
2
answers
2k
views
Why new created ServiceAccount has 0 secrets
I have Kubernetes version 1.24.3, and I created a new service account named "deployer", but when I checked it, it shows it doesn't have any secrets.
This is how I created the service account:...
- 13.9k
0
votes
1
answer
1k
views
How to add automountServiceAccountToken: false using Helm
I have been trying to add automountServiceAccountToken: false into deployment using helm but my changes are reflecting inside deployment in kubernetes.
I tried below in helpers.tpl
{{- "<chart-...
0
votes
1
answer
1k
views
Default ServiceAccount k8s
I'm a little confused about the default Service Account in new created Namespace in my Minikube.
Does it have any permissions? It seems not because I can't find any rolebinding or clusterrolebindung ...
- 103
1
vote
1
answer
3k
views
How to write/use K8 Python client to create a new role, sa & role binding
I am currently figuring out what is the best way to programmatically manage the Kubernetes cluster (eks). I have come across a python Kubernetes client where I was able to load the local config and ...
- 25
0
votes
1
answer
532
views
Allow K8s serviceAccount to read clusterroles, problem when trying to deploy ingress-nginx helm chart with jenkins
I'm trying to deploy ingress-nginx helm chart to K8s with Jenkins running in container.
Kubernetes version: 1.25.4 and
Helm chart: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx
I ...
- 51
0
votes
1
answer
451
views
In Kubernetes if I create a rolebinding with a serviceaccount subject without namespace defined ¿which sa is used?
I can create a rolebinding like this
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
namespace: rolebinding-ns
subjects:
- kind: ServiceAccount
name: default
...
- 1
0
votes
2
answers
632
views
How is Kubernetes Service IP assigned and stored?
I deployed a service myservice to the k8s cluster. Using kubectl describe serivce ..., I can find that the service ip is 172.20.127.114 I am trying to figure out how this service ip is assigned. Is ...
- 1,691
1
vote
1
answer
2k
views
Kubernetes service account to access AWS S3 for different users in the container
I have an EKS deployment with a service account with policy and role that enable access to S3.
This works well for root account in the container. The container can execute aws s3 cp ... with no issue.
...
- 5,026
1
vote
1
answer
4k
views
Cannot list or delete ClusterRole or ClusterRoleBinding with a Kubernetes ServiceAccount
I want to create a Kubernetes CronJob that deletes resources (Namespace, ClusterRole, ClusterRoleBinding) that may be left over (initially, the criteria will be "has label=Something" and &...
- 3,216
1
vote
1
answer
231
views
Cannot access https://<master-ip>:<nodePort> when using kubernetes-dashboard(timeout)
hi,guys,i got some issues when i'm going to running my kubernetes-dashboard😥.
the details of the issue is:
i cant access my dashboard in browser by using https://<master-ip>:<nodePort>(...
- 94
3
votes
1
answer
4k
views
Can Cloud Composer run Dags with different Service Accounts in the same Composer environment?
I have several Dags setup to run the KubernetesPodOperator in Cloud Composer / Airflow, they run under the Composer Environment Service Account, I want to know if there is away of running a Dag with a ...
- 511
0
votes
1
answer
823
views
Is there a way to detect inactive Service / User Accounts in K8s cluster
I'd like to be able to detect inactive Service accounts and User accounts by using kubectl / rest api in my Kubernetes cluster.
like for an example idle service account that has not been used for any ...
- 1,078
4
votes
1
answer
3k
views
k8s mount service account token
How can I mount service account token,
we are using a chart which doesn't support it and after a hour the chart is failing.
https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-...
- 677
3
votes
1
answer
2k
views
Why K8s automounted service account token in a pod is different from the token retrieved directly from a service account?
Lets say I create a service account and retrieve the token associated to it:
kubectl -n myexample describe sa myexample-sa
kubectl describe secret myexample-sa-token-xxxxx
Value of the token:
token: ...
- 1,985
0
votes
1
answer
1k
views
Can't deploy bitnami/rabbitmq Helm Chart on GKE, permission to create role is required
Introduction :
I am trying to deploy a RabbitMq Helm Chart to GKE, with my Gitlab CI/CD pipeline. The command I use to install my chart is:
helm upgrade --install rabbitmq --create-namespace --...
- 704
4
votes
0
answers
926
views
How do I use a k8s serviceaccount's attached IAM role to make a request to S3 with the AWS SDK for Go v2
In a Go application run as a k8s Job, I am attempting to assume a serviceaccount <-> IAM Role when trying to GetObject from an S3 bucket. I attach a serviceAccountName field to the Job spec in ...
- 2,550
1
vote
1
answer
805
views
How to hide a namespace for specific user on kubernetes
I have three namespaces
prod
dev
stage
And I have two users
prod-user : have full access for "prod" namespaces but have no access for "dev" and "stage"
dev-user : have ...
- 11