pods is forbidden: User cannot list resource \"pods\" in API group
Article ID: 267988
Updated On:
Products
Issue/Introduction
Open Shift job may fail when using class name com.ca.cloud.oc.OpenShift
Example job
......
method_name: executeCommand
j2ee_parameter: String=<this value is cluster URL>
j2ee_parameter: String=<this value is default token>
j2ee_parameter: String=testuser
j2ee_parameter: String=""
j2ee_parameter: String="app=rhel8"
j2ee_parameter: String="bash -c \"sleep 120\""
class_name: com.ca.cloud.oc.OpenShift
The following error may be observed:
2023-05-18 10:37:57,657 DEBUG o.a.h.c.h.wire [Thread-14] http-outgoing-4 << "{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:testuser:default\" cannot list resource \"pods\" in API group \"\" in the namespace \"testuser\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}[\n]"
Environment
Release : 12.1
Cause
Necessary permissions / roles may be missing for the user that is executing the command on the pod.
Resolution
To run the job successfully below roles must be provided
rules:
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- pods/attach
- pods/exec
- verbs:
- impersonate
apiGroups:
- ''
resources:
- serviceaccounts
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- ''
resources:
- pods
- pods/attach
- pods/exec
- verbs:
- patch
- update
apiGroups:
- apps
resources:
- deployments
- deployments/scale
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- batch
resources:
- jobs
- verbs:
- patch
- update
apiGroups:
- extensions
resources:
- deployments
- deployments/scale
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- pods
Feedback
