Hi,
I have this configuration for my aws-auth config map:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::999999999999:role/ec2-managed-node
username: system:node:{{EC2PrivateDNSName}}
- groups:
- sso:team-leader
rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
username: adrian
- groups:
- sso:team-leader
rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
username: bruce
- groups:
- sso:team-leader
rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
username: nicko
I'd like to know whether I'm doing something wrong, because whenever I try to access a forbidden resource, even I'm logged as "adrian" or "bruce" I receive a message saying:
Error from server (Forbidden): pods is forbidden: User "nicko" cannot list resource "pods" in API group "" in the namespace "default"
Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: alt:team-leader
namespace: iron
rules:
- apiGroups: ["*"]
resources: [
"pods",
"pods/log",
"deployments",
"services",
"replicasets",
"daemonsets",
"statefulsets",
"configmaps",
"secrets",
"jobs",
"cronjobs",
"ingresses",
"networkpolicies",
"serviceaccounts",
"persistentvolumes",
"persistentvolumeclaims",
"namespaces"
]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: alt:team-leader
namespace: iron
subjects:
- kind: Group
name: alt:team-leader
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: alt:team-leader
apiGroup: rbac.authorization.k8s.io
Yes, but the problem is about the message, the message is related to a different user than the one I am using.