'kubernetes serviceaccout not seeing new roles

We created some roles and a rolebinding to a service accout mainly for read-only access and limited to certain namespaces. It's working as expected.

Later we decided to add more rules in the role (i.e. list gateway, destinationrules, etc). After updating the roles the service account is not getting the new rules, although existing rules still intact. I've tried also delete and recreate the service account but same issue. Did I miss something?

Here are the roles:

[root@puc1liac9001 .kube]# k -n websec get roles -o yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
    name: websec-read-role
    namespace: websec
  rules:
  - apiGroups:
    - '*'
    resources:
    - pods
    - services
    - pods/log
    - events
    - secrets
    - nodes
    - deployments
    - replicasets
    - gateway
    - virtualservice
    - destinationrule
    verbs:
    - get
    - list
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

*** rolebinding ***
kind: RoleBinding
  name: websec-rolebinding
  namespace: websec
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: websec-read-role
subjects:
- kind: ServiceAccount
  name: webseal-service-account
  namespace: websec

As shown below existing roles still works but not the new rules we added (gateway, dr, vs):

[root@p .kube]# k --kubeconfig=websec-read-user-config -n websec get pods
NAME                                               READY   STATUS    RESTARTS   AGE
wrp-external1-verify-access-wrp-6c45dd6678-jczrf   2/2     Running   0          19h
wrp-external1-verify-access-wrp-6c45dd6678-zbmsx   2/2     Running   0          19h

[root@p .kube]# k --kubeconfig=websec-read-user-config -n websec get gw
Error from server (Forbidden): gateways.networking.istio.io is forbidden: User "system:serviceaccount:websec:webseal-service-account" cannot list resource "gateways" in API group "networking.istio.io" in the namespace "websec": Azure does not have opinion for this user.

[root@p .kube]# k --kubeconfig=websec-read-user-config -n websec get dr
Error from server (Forbidden): destinationrules.networking.istio.io is forbidden: User "system:serviceaccount:websec:webseal-service-account" cannot list resource "destinationrules" in API group "networking.istio.io" in the namespace "websec": Azure does not have opinion for this user.
kubernetesrolesk8s-serviceaccount


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How to check if a role exists in Sybase

Create PostgreSQL ROLE (user) if it doesn't exist

Oracle SELECT granted but still can't access table across users

Subscription-scope authorization for Azure Resource Manager API user

Double listbox with CollectionType/ChoiceType for user roles

Google Cloud Storage confused about ACL/IAM and legacy permissions

Rename default admin role in ABP framework

can't add 'allUsers' to GCP project

Cross account IAM roles for Kubernetes service account - s3 bucket

Why role cannot be dropped because some objects depend on it

Azure api management returns status 500 after enabling "assignment required" on Azure function Enterprise application properties

403 Forbidden Error in Keycloak API (view-users)

Github Actions, Deploy ARM template with Microsoft.Authorization/roleAssignments

Google Storage Bucket Permission to view object but not to list

How to map LDAP Usergroups to Wildfly roles