Unresolved ServiceAccount reference in Binding

RoleBinding grants Roles permissions to ServiceAccounts or Users. This validator detects when a ServiceAccount used in RoleBinding is not found.

Affected Resources: RoleBinding, ClusterRoleBinding

Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
subjects:
- kind: ServiceAccount
  name: backend                            # Service Account not found
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

apiVersion: v1
kind: ServiceAccount
metadata:
  name: saas-backend                        # Different name

Resolution

Check if the ServiceAccount is present in the same namespace.

Check if the ServiceAccount is present in a different namespace. Kubevious Search can be a very handy tool to find ServiceAccounts across namespaces. You cannot mount a ServiceAccount from a different namespaces. In that case you would need to create a ServiceAccount in namespace where the RoleBinding resides.

Did you make a typo in the RoleBinding? Kubevious Search uses fuzzy logic to return results and can help with finding the correct ServiceAccount.

Learn More

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

Need other validation rules?

Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

Share this article on: