Skip to content

Instantly share code, notes, and snippets.

@0xperp

0xperp/permissions.md

Created March 22, 2023 02:02
Show Gist options
  • Save 0xperp/9c8632227b58274466b876595c4d68e9 to your computer and use it in GitHub Desktop.
Save 0xperp/9c8632227b58274466b876595c4d68e9 to your computer and use it in GitHub Desktop.
Download ZIP
Adding Roles for Kubernetes Waypoint Runner
Raw
permissions.md

Using Hashicorp Waypoint runner for Kubernetes is pretty straight forward... but sometimes runs into permissions errors.

Specifically jobs.batch is forbidden: User "system:serviceaccount:waypoint:waypoint-runner" cannot create resource "jobs" in API

You need to

  • create a role with access to the jobs.batch api
  • bind it to the service account

You can do this as follows

Create a Role

echo """apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: default
  name: batch-role 
rules:
 - apiGroups: ["", "extensions", "apps", "batch"]
   resources: ["*"]
   verbs: ["*"] """ > batch-role.yaml
  
# apply it 
kubectl apply -f batch-role.yaml

# check it 
kubectl get clusterrole | grep "batch-role"

Bind the Role

# apply
kubectl create clusterrolebinding batch-role \
  --clusterrole=batch-role \
  --serviceaccount=waypoint:waypoint-runner
  
# check 
kubectl get clusterrolebinding | grep "batch-role"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment