This RBAC error occurs when a user lacks permission to access a resource. Fix it by creating a Role or ClusterRole with required permissions and binding it to the user with RoleBinding or ClusterRoleBinding.
The "User cannot get resource" error (typically shown as "Error from server (Forbidden): {resource} is forbidden: User cannot {verb} resource") indicates that Kubernetes RBAC (Role-Based Access Control) is blocking the request. The authenticated user doesn't have permission to perform the requested action on the specified resource. Kubernetes RBAC uses four main objects: Roles (namespace-scoped permissions), ClusterRoles (cluster-wide permissions), RoleBindings (grant Role to users in a namespace), and ClusterRoleBindings (grant ClusterRole cluster-wide). A user must have an appropriate binding to a role that includes the required verb and resource. This error commonly occurs when users are added to a cluster without proper role assignments, when accessing resources in namespaces where they lack bindings, or when the role doesn't include all necessary verbs (get, list, watch, create, update, delete).
Verify who you are and what permissions you have:
# Check current user
kubectl auth whoami
# Test specific permission
kubectl auth can-i get pods
kubectl auth can-i get pods -n production
# Test as another user
kubectl auth can-i get pods --as=john.developer
# List all permissions for a user
kubectl auth can-i --list --as=john.developerResponse is "yes" or "no".
Find what roles and bindings exist:
# List roles in namespace
kubectl get roles -n default
# Describe a role
kubectl describe role pod-reader -n default
# List role bindings
kubectl get rolebindings -n default
# Find bindings for a specific user
kubectl get rolebindings,clusterrolebindings --all-namespaces -o json | \
jq '.items[] | select(.subjects[]?.name=="john.developer")'Create a namespace-scoped Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
- apiGroups: [""] # Core API (pods, services, secrets)
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"] # Apps API (deployments, statefulsets)
resources: ["deployments"]
verbs: ["get", "list"]Common apiGroups:
- "" (empty): pods, services, configmaps, secrets
- "apps": deployments, statefulsets, daemonsets
- "batch": jobs, cronjobs
- "networking.k8s.io": networkpolicies
Bind the role to the user:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: default
subjects:
- kind: User
name: john.developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioApply and verify:
kubectl apply -f rolebinding.yaml
kubectl auth can-i get pods --as=john.developer -n defaultFor access across all namespaces:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader-global
rules:
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pod-reader-global-binding
subjects:
- kind: User
name: john.developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-reader-global
apiGroup: rbac.authorization.k8s.ioConfirm permissions are working:
# Test permission
kubectl auth can-i get pods --as=john.developer -n default
# Try the actual command
kubectl get pods -n default
# Test multiple verbs
kubectl auth can-i list pods --as=john.developer
kubectl auth can-i create pods --as=john.developer
kubectl auth can-i delete pods --as=john.developerAll required verbs should return "yes".
Role Aggregation (Kubernetes 1.9+):
Compose permissions from multiple roles using labels:
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-viewer: "true"Impersonation for testing:
kubectl auth can-i get pods --as=jane.developer
kubectl get pods --as=system:serviceaccount:default:webappPrivilege Escalation Prevention: You can only create roles/bindings with permissions you already possess.
Common Role Templates:
- Pod reader: verbs: ["get", "list"] on resources: ["pods"]
- Deployment manager: verbs: ["get", "list", "create", "update", "patch"] on resources: ["deployments"]
- Read-only all: verbs: ["get", "list", "watch"] on resources: ["*"]
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes