那些遇到过的问题

禁止:“system:serviceaccount:default:default”无法创建资源。如何添加权限?

Jon*_*nas 4 kubernetes

当我尝试通过 http 请求从 node.js 应用程序创建资源时,出现此错误。

{
  kind: 'Status',
  apiVersion: 'v1',
  metadata: {},
  status: 'Failure',
  message: 'prometheusrules.monitoring.coreos.com is forbidden: User ' +
    '"system:serviceaccount:default:default" cannot create resource ' +
    '"prometheusrules" in API group "monitoring.coreos.com" in the ' +
    'namespace "default"',
  reason: 'Forbidden',
  details: { group: 'monitoring.coreos.com', kind: 'prometheusrules' },
  code: 403
}
Run Code Online (Sandbox Code Playgroud)

如何添加权限system:serviceaccount:default:default

我尝试过以下方法ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sla-manager-service-role
  labels:
    app: sla-manager-app
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Run Code Online (Sandbox Code Playgroud)

但它不起作用。我的 Node.js 应用程序的服务如下所示

apiVersion: v1
kind: Service
metadata:
  name: sla-manager-service
  labels:
    app: sla-manager-app
    monitoring: "true"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: /metrics
    prometheus.io/port: "6400"
spec:
  selector:
    app: issue-manager-app
  ports:
    - protocol: TCP
      name: http
      port: 80
      targetPort: 6400
Run Code Online (Sandbox Code Playgroud)

Arg*_*dhu 8

You need a Role to define the permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sla-manager-service-role
  namespace: default
  labels:
    app: sla-manager-app
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
  resources: ["prometheusrules"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Run Code Online (Sandbox Code Playgroud)

Then assign the above Role to the service account using a RoleBinding. This will give the permissions to the service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sla-manager-service-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
Run Code Online (Sandbox Code Playgroud)

Verify the service account's permission using below command

kubectl auth can-i create prometheusrules --as=system:serviceaccount:default:default -n default
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

14800 次

最近记录:

4 年,11 月 前
相关归档
如何登录/进入 kubernetes pod 29
如何删除 kubernetes 上的入口控制器? 16
群集管理员的GKE clusterrolebinding失败,出现权限错误 15
无法访问 nginx-ingress 和 nlb 后面的 grpc 应用程序 7
谷歌云端点正文数组 5
如何改进 kubernetes 集群容器中的随机数生成? 5
k8s 出口网络策略不适用于 dns 5
The node was low on resource: [DiskPressure]. but df -h shows 47% usage only 2
kaniko sh:睡眠:未找到 1
Kubernetes - 在部署时运行 chmod 1
难疑归档
如何将空目录添加到Git存储库? 4039
什么是sleep()的JavaScript版本? 2115
CSS三角形如何工作? 1791
如何在没有换行或空格的情况下打印? 1760
什么是 ":-!!" 用C代码? 1627
使用JavaScript/jQuery滚动到页面顶部? 1511
在Android上旋转活动重启 1341
从JS数组中删除重复值 1225
如何使用INER JOIN与SQL Server删除? 1181
将先前的提交分解为多个提交 1113