Forbidden: "system:serviceaccount:default:default" cannot create resource. How to add permissions?

Question

When I try to create a resource from a node.js application via http request I get this error.

{
  kind: 'Status',
  apiVersion: 'v1',
  metadata: {},
  status: 'Failure',
  message: 'prometheusrules.monitoring.coreos.com is forbidden: User ' +
    '"system:serviceaccount:default:default" cannot create resource ' +
    '"prometheusrules" in API group "monitoring.coreos.com" in the ' +
    'namespace "default"',
  reason: 'Forbidden',
  details: { group: 'monitoring.coreos.com', kind: 'prometheusrules' },
  code: 403
}

How do I add permissions to system:serviceaccount:default:default?

I have tried with the following ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sla-manager-service-role
  labels:
    app: sla-manager-app
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

But it is not working. The service for my node.js application looks like this

apiVersion: v1
kind: Service
metadata:
  name: sla-manager-service
  labels:
    app: sla-manager-app
    monitoring: "true"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/path: /metrics
    prometheus.io/port: "6400"
spec:
  selector:
    app: issue-manager-app
  ports:
    - protocol: TCP
      name: http
      port: 80
      targetPort: 6400

Answer 1

You need a Role to define the permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sla-manager-service-role
  namespace: default
  labels:
    app: sla-manager-app
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
  resources: ["prometheusrules"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Then assign the above Role to the service account using a RoleBinding. This will give the permissions to the service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sla-manager-service-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Verify the service account's permission using below command

kubectl auth can-i create prometheusrules --as=system:serviceaccount:default:default -n default

Answer 2

You application node.js is using default service account which does not have any create permission. That is creating this issue.To solve this issue you have to create another service account with necessary permission and add this service account to your container spec.

For example lets create cluster admin service account which has all permission.You can create your own based on your requirement.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-app
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: node-app
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: node-app
    namespace: kube-system

Now add this service account in container spec in your deployment.yaml. For example:

spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: vault-token
  serviceAccountName: node-app