Deployment on kubernetes 1.20 fails with customresourcedefinitions Forbidden #1979

bbellrose1 · 2021-02-10T21:49:35Z

bbellrose1
Feb 10, 2021

time="2021-02-10T21:36:28Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2021-02-10T21:36:28Z" level=info msg="creating custom Kubernetes resources"
time="2021-02-10T21:36:28Z" level=error msg="creating custom resource authcodes.dex.coreos.com: POST https://10.96.0.1:443/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions Forbidden: response from server "{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:dex:dex\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"group":"apiextensions.k8s.io","kind":"customresourcedefinitions"},"code":403}""

Not sure why I am seeing the errors. Cluster role exists:

piVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dex
rules:

apiGroups: ["dex.coreos.com"] # API group created by dex
resources: [""]
verbs: [""]
apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dex
subjects:

kind: ServiceAccount
name: dex # Service account assigned to the dex pod, created above
namespace: dex # The namespace dex is running in

nabokihms · 2021-02-10T22:02:20Z

nabokihms
Feb 10, 2021
Maintainer

Hello!
According to provided manifests, you deployed RoleBinding to the default namespace.

I assume that either deploying it to the dex namespace or changing RoleBinding to ClusterRoleBinding should help.

3 replies

bbellrose1 Feb 10, 2021
Author

Crap, thanks for the catch

bbellrose1 Feb 10, 2021
Author

Did not seem to help:

kubectl get rolebinding -n dex
NAME ROLE AGE
dex ClusterRole/dex 116s

NAME READY STATUS RESTARTS AGE
dex-5965b65497-kphg4 0/1 CrashLoopBackOff 18 71m
dex-5965b65497-kq89x 0/1 CrashLoopBackOff 18 71m
dex-5965b65497-kw29d 0/1 CrashLoopBackOff 18 71m

time="2021-02-10T22:37:44Z" level=error msg="creating custom resource authcodes.dex.coreos.com: POST https://10.96.0.1:443/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions Forbidden: response from server "{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dex:dex" cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope","reason":"Forbidden","details":{"group":"apiextensions.k8s.io","kind":"customresourcedefinitions"},"code":403}""
failed to initialize server: server: failed to list connector objects from storage: failed to list connectors: not found

bbellrose1 Feb 10, 2021
Author

Seems like a slightly different error though. Instead of Forbidden it is not found...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Deployment on kubernetes 1.20 fails with customresourcedefinitions Forbidden #1979

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Deployment on kubernetes 1.20 fails with customresourcedefinitions Forbidden #1979

Uh oh!

bbellrose1 Feb 10, 2021

Replies: 1 comment · 3 replies

Uh oh!

nabokihms Feb 10, 2021 Maintainer

Uh oh!

bbellrose1 Feb 10, 2021 Author

Uh oh!

bbellrose1 Feb 10, 2021 Author

Uh oh!

bbellrose1 Feb 10, 2021 Author

bbellrose1
Feb 10, 2021

Replies: 1 comment 3 replies

nabokihms
Feb 10, 2021
Maintainer

bbellrose1 Feb 10, 2021
Author

bbellrose1 Feb 10, 2021
Author

bbellrose1 Feb 10, 2021
Author