v1. Namespace is forbidden: User cannot list resource "namespaces" in API group.

[marcgarciajr]

Any idea why would this happen? Seems like the Go app can't list the namespaces. What can I do in this case?

It is configured for AWS ECR the same registry works fine on minikube, but in dev cluster, it doesn't.

Here is the error:

`time="2020-10-21T05:10:45Z" level=info msg="Starting up..."
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Account: 81xxxxxxxx"
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Region: ca-central-1"
time="2020-10-21T05:10:45Z" level=info msg="Using AWS Assume Role: arn:aws:iam::81xxxxxxx:role/xxxxxxxxxx"
time="2020-10-21T05:10:45Z" level=info msg="Refresh Interval (minutes): 60"
time="2020-10-21T05:10:45Z" level=info msg="Retry Timer: simple"
time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retries: 3"
time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retry Delay (se

ERROR: logging before flag.Parse: E1021 05:11:37.436054 1 reflector.go:199] github.com/upmc-enterprises/registry-creds/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope`

It is on an infinite loop outputting the error above.

[briprowe]

I am also intermittently encountering this when running in minikube.

minikube version: v1.14.2
commit: 2c82918e2347188e21c4e44c8056fc80408bce10

[KennyReeldata]

Running into this with K3s in an on-premise setup as well..

[Keralin]

You have to allow the serviceaccount that you are using to list some resources from kubernetes otherwise it will fail like yours it's failing. It is failing because doesnt have the enough permissions to be able to do some actions (in th is case list all the namespaces). You can define new permissions or create anoñther serviceAccount to avoid editing the default one that comes from Kubernetes.

[lackhoa]

What is the permissions that this app need? Do you assume that it should run as admin?

[Keralin]

What is the permissions that this app need? Do you assume that it should run as admin?

No that's wrong, you should'nt run as admin. In my case I added the permissions:
namespace: list, get, watch
secrets: get, list, watch, create, update, patch and delete
serviceaccount: all the permissions.

Remember that the app list all namespaces, and updates or creates secrets to that namespace with the secrets to allow that namespace to dowload the images from the private repository

[lackhoa]

@Keralin What do you mean "in your case"? Are there different use cases?
I read that only the default serviceAccount is mutated, so do we really need all the permissions for all serviceAccounts?

[Keralin]

@lackhoa Sorry for the delay, I just added to this PR with the files you will need. #103

[ac5tin]

i only configured the secrests.yml and deployment.yml for AWS ECR and got the following error in the pod

 Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope

[kaiffeetasse]

@ac5tin I think you are missing the api_groups = "" permission

[motoshkov]

https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-object-access-error/