ssh ckad00028
You’re seeing RBAC errors like:
User "system:serviceaccount:gorilla:default" cannot list resource "pods" … in namespace "gorilla"
That means the Pod is running as the default ServiceAccount and needs permission to list pods (and possibly also get/watch).
You must fix it by updating the Deployment (via its manifest file) and giving it the proper RBAC.
1) Confirm the error in logs
kubectl -n gorilla get deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
If it’s CrashLooping and you need previous logs:
POD=$(kubectl -n gorilla get pods -l app=honeybee -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || kubectl -n gorilla get pods -o jsonpath='{.items[0].metadata.name}')
kubectl -n gorilla logs "$POD" --previous --tail=200
You should see the “cannot list resource pods” line.
2) Create a dedicated ServiceAccount for the app
(Using a dedicated SA is standard practice; the task wants you to “resolve the errors”.)
kubectl -n gorilla create serviceaccount honeybee-sa
kubectl -n gorilla get sa honeybee-sa
3) Create RBAC: Role + RoleBinding (namespaced)
This will allow listing pods in namespace gorilla.
cat <<'EOF' > honeybee-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: honeybee-pod-reader
namespace: gorilla
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: honeybee-pod-reader-binding
namespace: gorilla
subjects:
- kind: ServiceAccount
name: honeybee-sa
namespace: gorilla
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: honeybee-pod-reader
EOF
Apply it:
kubectl apply -f honeybee-rbac.yaml
Quick verification (optional but very useful):
kubectl auth can-i list pods -n gorilla --as=system:serviceaccount:gorilla:honeybee-sa
Should return yes.
4) Update the Deployment manifest to use the new ServiceAccount
The manifest is at:
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Because there’s a space in the filename, quote it.
4.1 Edit the file
cd /home/candidate/prompt-escargot
ls -l
vi "honey bee-deployment.yaml"
In the Deployment YAML, add (or set) this under:
spec.template.spec:
serviceAccountName: honeybee-sa
Example location:
spec:
template:
spec:
serviceAccountName: honeybee-sa
containers:
- name: ...
Save and exit.
4.2 Apply the updated manifest
kubectl apply -f "/home/candidate/prompt-escargot/honey bee-deployment.yaml"
5) Ensure rollout succeeds and errors are gone
kubectl -n gorilla rollout status deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
Also confirm the pods now run with the right ServiceAccount:
kubectl -n gorilla get pods -o jsonpath='{range .items[*]}{.metadata.name}{" sa="}{.spec.serviceAccountName}{"\n"}{end}'
You should no longer see the RBAC “cannot list pods” errors.
