How to resolve 'Can't read configMap with name: in namespace. Ignoring configmaps is forbidden' when using spring cloud config client with kubernetes(k8s)
Problem
When using Spring Cloud with Kubernetes, you might encounter the following error:
2020-11-28 10:14:43.597 WARN 1 --- [ main] o.s.c.k.config.ConfigMapPropertySource : Can't read configMap with name: [app6] in namespace:[ns-bswen]. Ignoring.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.43.0.1/api/v1/namespaces/ns-bswen/configmaps/app6. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. configmaps "app6" is forbidden: User "system:serviceaccount:ns-bswen:default" cannot get resource "configmaps" in API group "" in the namespace "ns-bswen".The core error is:
configmaps is forbidden: User "system:serviceaccount:ns-bswen:default" cannot watch resource "configmaps" in API group "" in the namespace "ns-bswen".Environment
- SpringBoot 2.3
- Spring Cloud Config Server 2.2.3.RELEASE
- SpringCloudVersion Hoxton.SR6
- Kubernetes 1.19
Reason
We are using Kubernetes ConfigMap as the configuration property source. According to the Spring Cloud Kubernetes documentation:
You should check the security configuration section. To access config maps from inside a pod, you need to have the correct Kubernetes service accounts, roles, and role bindings.
If you don’t specify the service account name in your Kubernetes deployment, the ‘default’ service account is used. However, the ‘default’ service account cannot ‘watch’ the ConfigMap API without proper authorizations.
Solution
To resolve this issue, we need to create an RBAC role and role binding for a specified service account.
# create the service accountapiVersion: v1kind: ServiceAccountmetadata: name: api-reader namespace: ns-bswen---# create the role to grant access to configmapsapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: namespace: ns-bswen name: role-api-readerrules: - apiGroups: [""] # "" indicates the core API group resources: ["pods","configmaps"] verbs: ["get", "watch", "list"]---# bind the role and the service accountapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: rolebinding-api-reader namespace: ns-bswensubjects: - kind: ServiceAccount name: api-reader # Name is case sensitive namespace: ns-bswenroleRef: kind: Role #this must be Role or ClusterRole name: role-api-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.ioThen, specify the service account in your Kubernetes deployment YAML:
apiVersion: apps/v1kind: Deploymentmetadata: name: deployment-app6 namespace: ns-bswenspec: replicas: 1 selector: matchLabels: app: app6 template: metadata: labels: app: app6 spec: serviceAccountName: api-reader # here is the key point imagePullSecrets: - name: secret-harbor containers: - image: app6:latest name: app6 ports: - containerPort: 8082 name: app6-portAfter applying these changes, the application should run without issues.
Summary
In this post, we explored how to resolve the “Can’t read configMap” error when using Spring Cloud Config Client with Kubernetes. The key takeaway is to ensure that your service account has the necessary permissions to access and watch ConfigMaps. By creating an RBAC role and role binding, and specifying the service account in your deployment, you can avoid this common issue.
Final Words + More Resources
My intention with this article was to help others who might be considering solving such a problem. So I hope that’s been the case here. If you still have any questions, don’t hesitate to ask me by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!