I am really liking Kubernetes RBAC. It is “fairly” simple to use and so powerful.

For example, a user said I can’t port forward to a port and pasted me the error:

error: error upgrading connection: pods "selenium-node-firefox-debug-mtw7r" is forbidden: User "john" cannot create pods/portforward in the namespace "app1"

This basically told me all that I need. It states the user cannot perform the action create on the resource pods/portforward.

I do think the “action” (create) and the “resource” (pods/portforward) should be highlighted somehow in the error message to make it even clearer.

So I added this to his role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  namespace: spinnaker
  name: kube-saas:list-and-logs
- apiGroups: [""]
  resources: ["pods", "pods/log", pods/portforward]
  verbs: ["get", "list", "create"]

This solved the problem. I love it when the error tells me exactly what it is and it is so easy to express this in the role.

Contact me if you have any questions about this or want to chat, happy to start a dialog or help out: blogs@managedkube.com {::nomarkdown}

Learn more about integrating Kubernetes apps