当我尝试通过http请求从node.js应用程序创建资源时,出现此错误。
{
kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message: 'prometheusrules.monitoring.coreos.com is forbidden: User ' +
'"system:serviceaccount:default:default" cannot create resource ' +
'"prometheusrules" in API group "monitoring.coreos.com" in the ' +
'namespace "default"',
reason: 'Forbidden',
details: { group: 'monitoring.coreos.com', kind: 'prometheusrules' },
code: 403
}
如何为system:serviceaccount:default:default
添加权限?
我尝试了以下ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sla-manager-service-role
labels:
app: sla-manager-app
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
但是它不起作用。我的node.js应用程序的服务看起来像这样
apiVersion: v1
kind: Service
metadata:
name: sla-manager-service
labels:
app: sla-manager-app
monitoring: "true"
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: /metrics
prometheus.io/port: "6400"
spec:
selector:
app: issue-manager-app
ports:
- protocol: TCP
name: http
port: 80
targetPort: 6400
答案 0 :(得分:2)
您需要Role
来定义权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sla-manager-service-role
namespace: default
labels:
app: sla-manager-app
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["prometheusrules"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
然后使用Role
将以上RoleBinding
分配给服务帐户。这将授予该服务帐户的权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sla-manager-service-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
使用以下命令验证服务帐户的权限
kubectl auth can-i create prometheusrules --as=system:serviceaccount:default:default -n default
答案 1 :(得分:1)
您的应用程序node.js使用的是默认服务帐户,该帐户没有任何创建权限。这就是造成此问题的原因。要解决此问题,您必须创建具有必要权限的另一个服务帐户,然后将此服务帐户添加到您的容器规范中。
例如,让我们创建拥有所有权限的群集管理服务帐户。您可以根据自己的需求创建自己的帐户。
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: node-app
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: node-app
namespace: kube-system
现在,将此服务帐户添加到您的deploy.yaml中的容器规范中。 例如:
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
serviceAccountName: node-app