deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot create deployments.apps in the namespace

Question

URL: /apis/apps/v1/namespaces/diyclientapps/deployments

) "{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.apps is forbidden: User \"system:serviceaccount:default:default\" cannot create deployments.apps in the namespace \"diyclientapps\"","reason":"Forbidden","details":{"group":"apps","kind":"deployments"},"code":403}

I'm getting the above error when trying to create a deployment via the Kubernetes REST API.

Why? I don't understand the error message...

This occurs on a custom Kubernetes cluster... The above worked correctly on a local Minikube instance.

I can successfully create a deployment via: kubectl run hello-minikube --image=k8s.gcr.io/echoserver:1.4 --port=8080

Hi, Its RBAC error, you need to role bind your service account with cluster role or appropriate role. — Suresh Vishnoi, Mar 08 '18 at 13:10
Here is already [answerd](https://stackoverflow.com/questions/47973570/kubernetes-log-user-systemserviceaccountdefaultdefault-cannot-get-services) — Suresh Vishnoi, Mar 08 '18 at 13:18
Possible duplicate of [Kubernetes log, User "system:serviceaccount:default:default" cannot get services in the namespace](https://stackoverflow.com/questions/47973570/kubernetes-log-user-systemserviceaccountdefaultdefault-cannot-get-services) — Suresh Vishnoi, Mar 08 '18 at 13:28

Chris Stryczynski · Answer 1 · 2023-02-02T17:25:35.063

33

This is due to the RBAC functionality.

If you do not care about that at all (for example you're the only Kubernetes administrator):

WARNING: This allows any Kubernetes user to have admin access.

kubectl create clusterrolebinding serviceaccounts-cluster-admin \
  --clusterrole=cluster-admin \
  --group=system:serviceaccounts

https://kubernetes.io/docs/admin/authorization/rbac/

edited Feb 02 '23 at 17:25

answered Mar 08 '18 at 13:24

Chris Stryczynski

30,145
48
175
286

7

Wow most upvoted! And this is the one the docs warn about because it grants escalated privilege across all namespaces :| – keni Feb 03 '22 at 03:46
Wow why does that work?? – Pavel Zagalsky Sep 07 '22 at 06:22

score 9 · Answer 2 · answered Feb 03 '22 at 03:52

You could:

Create a Cluster role with the resource you need, in this case in the app resource group.
Bind it to your service account.

Example:

kubectl create clusterrole deployer --verb=get,list,watch,create,delete,patch,update --resource=deployments.apps

kubectl create clusterrolebinding deployer-srvacct-default-binding --clusterrole=deployer --serviceaccount=default:default

score 1 · Answer 3 · answered Mar 08 '18 at 22:14

It likely worked on minikube because it set up a permissive (insecure) policy for you.

See https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions for information about granting permissions to service accounts.

Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the “kube-system” namespace (beyond discovery permissions given to all authenticated users).

deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot create deployments.apps in the namespace

3 Answers3

Linked