Azure-docs: User "clusterUser" cannot get resource "pods/log" in API group "" in the namespace "default": RBAC: clusterrole.rbac.authorization.k8s.io "containerHealth-read-logs-global" not found

Created on 18 Oct 2019  Â·  7Comments  Â·  Source: MicrosoftDocs/azure-docs

I have an RBAC-enabled AKS cluster. Contain Insights solution is enabled. I have created the RBAC authorization ClusterRole (containerHealth-log-reader) and ClusterRoleBinding (containerHealth-read-logs-global) as per this documentation:

PS C:\Users\014357> kubectl get clusterrole -name containerHealth-log-reader -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2019-10-18T10:50:44Z"
name: containerHealth-log-reader
resourceVersion: "3454"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/containerHealth-log-reader
uid: 2e5b1a2e-fbc4-47c1-a6d8-5b903551c7de
rules:

  • apiGroups:

    • ""

      resources:

    • pods/log

    • events

      verbs:

    • get

    • list

PS C:\Users> kubectl get clusterrolebinding -name containerHealth-read-logs-global -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2019-10-18T10:50:44Z"
name: containerHealth-read-logs-global
resourceVersion: "3455"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/containerHealth-read-logs-global
uid: a490324a-12c8-4c4b-82a0-68d79b0d7cfb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: containerHealth-read-logs-global
subjects:

  • apiGroup: rbac.authorization.k8s.io
    kind: User
    name: clusterUser
    namespace: default

I cannot access the live logs in the Azure portal:

User "clusterUser" cannot get resource "pods/log" in API group "" in the namespace "default": RBAC: clusterrole.rbac.authorization.k8s.io "containerHealth-read-logs-global" not found

What am I missing, or what else needs to be done?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Azure-Monitosvc Pri2 cxp product-question triaged
Source
picture loopfish

Most helpful comment

@loopfish - We are getting ready to publish an updated version of the documentation that includes a revised version of the yaml config template for RBAC-enabled clusters. Can you save this and update your configuration to see if it corrects your issue?

apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
   name: containerHealth-log-reader 
rules: 
    - apiGroups: ["", "metrics.k8s.io", "extensions", "apps"] 
      resources: 
         - "pods/log" 
         - "events" 
         - "nodes" 
         - "pods" 
         - "deployments" 
         - "replicasets" 
      verbs: ["get", "list"] 
--- 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
   name: containerHealth-read-logs-global 
roleRef: 
   kind: ClusterRole 
   name: containerHealth-log-reader 
   apiGroup: rbac.authorization.k8s.io 
subjects: 
- kind: User 
  name: clusterUser 
  apiGroup: rbac.authorization.k8s.io

Thanks.

picture MGoedtel on 22 Oct 2019
👍2 🎉1

All 7 comments

@loopfish
Thanks for your feedback! We will investigate and update as appropriate.

MarileeTurscak-MSFT picture MarileeTurscak-MSFT on 18 Oct 2019

You have to use a username of an existing AAD User. (UPN or ObjectID) so not "ClusterUser"

erikverwer picture erikverwer on 22 Oct 2019

@erikverwer why? I'm not using an AAD-authenticated cluster. Surely its the omsagent service that should be requesting this cluster role binding, not one of my AAD users...

loopfish picture loopfish on 22 Oct 2019

Ah sorry, i'm assumed that you were using AAD RBAC.

erikverwer picture erikverwer on 22 Oct 2019

@loopfish - We are getting ready to publish an updated version of the documentation that includes a revised version of the yaml config template for RBAC-enabled clusters. Can you save this and update your configuration to see if it corrects your issue?

apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
   name: containerHealth-log-reader 
rules: 
    - apiGroups: ["", "metrics.k8s.io", "extensions", "apps"] 
      resources: 
         - "pods/log" 
         - "events" 
         - "nodes" 
         - "pods" 
         - "deployments" 
         - "replicasets" 
      verbs: ["get", "list"] 
--- 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
   name: containerHealth-read-logs-global 
roleRef: 
   kind: ClusterRole 
   name: containerHealth-log-reader 
   apiGroup: rbac.authorization.k8s.io 
subjects: 
- kind: User 
  name: clusterUser 
  apiGroup: rbac.authorization.k8s.io

Thanks.

MGoedtel picture MGoedtel on 22 Oct 2019
👍2 🎉1

nice one @MGoedtel - that sorted it, thank you. To be honest, I should have spotted that myself - the cluster role binding was referencing itself, rather that the role. I did have to delete the existing cluster role binding - Terraform said it updated the crb, but in fact it didn't, so I had to delete it manually and recreated it. FYI.

loopfish picture loopfish on 23 Oct 2019

Glad to hear your issue is resolved. #please-close.

MGoedtel picture MGoedtel on 23 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jebeld17 picture jebeld17  Â·  3Comments
bityob picture bityob  Â·  3Comments
spottedmahn picture spottedmahn  Â·  3Comments
DeepPuddles picture DeepPuddles  Â·  3Comments
Ponant picture Ponant  Â·  3Comments