禁止:“系统:服务帐户:默认:默认”无法创建资源。如何添加权限?

时间:2020-10-27 09:34:58

标签: kubernetes

当我尝试通过http请求从node.js应用程序创建资源时,出现此错误。

{
  kind: 'Status',
  apiVersion: 'v1',
  metadata: {},
  status: 'Failure',
  message: 'prometheusrules.monitoring.coreos.com is forbidden: User ' +
    '"system:serviceaccount:default:default" cannot create resource ' +
    '"prometheusrules" in API group "monitoring.coreos.com" in the ' +
    'namespace "default"',
  reason: 'Forbidden',
  details: { group: 'monitoring.coreos.com', kind: 'prometheusrules' },
  code: 403
}

如何为system:serviceaccount:default:default添加权限?

我尝试了以下ClusterRole 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sla-manager-service-role
  labels:
    app: sla-manager-app
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

但是它不起作用。我的node.js应用程序的服务看起来像这样

apiVersion: v1
kind: Service
metadata:
  name: sla-manager-service
  labels:
    app: sla-manager-app
    monitoring: "true"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: /metrics
    prometheus.io/port: "6400"
spec:
  selector:
    app: issue-manager-app
  ports:
    - protocol: TCP
      name: http
      port: 80
      targetPort: 6400

2 个答案:

答案 0 :(得分:2)

您需要Role来定义权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sla-manager-service-role
  namespace: default
  labels:
    app: sla-manager-app
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
  resources: ["prometheusrules"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

然后使用Role将以上RoleBinding分配给服务帐户。这将授予该服务帐户的权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sla-manager-service-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

使用以下命令验证服务帐户的权限

kubectl auth can-i create prometheusrules --as=system:serviceaccount:default:default -n default

答案 1 :(得分:1)

您的应用程序node.js使用的是默认服务帐户,该帐户没有任何创建权限。这就是造成此问题的原因。要解决此问题,您必须创建具有必要权限的另一个服务帐户,然后将此服务帐户添加到您的容器规范中。

例如,让我们创建拥有所有权限的群集管理服务帐户。您可以根据自己的需求创建自己的帐户。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-app
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: node-app
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: node-app
    namespace: kube-system

现在,将此服务帐户添加到您的deploy.yaml中的容器规范中。 例如:

spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: vault-token
  serviceAccountName: node-app
相关问题
最新问题