Move of a kube question than jupyter to be honest…
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: jhub-restarter
rules:
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- 'patch'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jhub-restarter
namespace: dev
subjects:
- kind: ServiceAccount
name: sa-jhub-restarter
namespace: jp-test
roleRef:
kind: Role
name: jhub-restarter
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-jhub-restarter
namespace: dev
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: devhubrestarter
namespace: dev
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: sa-jhub-restarter
containers:
- name: restarter
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- kubectl rollout restart deployment -n dev hub
restartPolicy: OnFailure
Everything seems to create correctly from what I can tell, and the cronjob runs/creates the pod.
But the pod logs give an error:
└> kubectl logs -n dev <podname>
Error from server (Forbidden): deployments.apps "hub" is forbidden: User "system:serviceaccount:dev:sa-jhub-restarter" cannot get resource "deployments" in API group "apps" in the namespace "dev"
But I do have the rules.resources.deployments
in the first Role
block. Any thoughts on what I’m missing?