Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document RBAC requirements #181

Closed
athornton opened this issue Oct 1, 2019 · 7 comments
Labels
bug

Comments

@athornton
Copy link
Contributor

@athornton athornton commented Oct 1, 2019

I think this happened in vanilla 0.9.2 (although I saw it today while trying to test PR #162 )

What are the items I need for my RBAC role now? (This worked through 0.9.1)

ApiException: (403)
Reason: Forbidden
HTTP response headers: <CIMultiDictProxy('Audit-Id': 'cc9a1ae7-1483-4d97-89b8-d3f7cab86171', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Tue, 01 Oct 2019 18:43:50 GMT', 'Content-Length': '373')>
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"dask-athornton-3691b3ef-c4mq9q\" is forbidden: User \"system:serviceaccount:nublado-athornton:dask\" cannot get resource \"pods\" in API group \"\" in the namespace \"nublado-athornton\"","reason":"Forbidden","details":{"name":"dask-athornton-3691b3ef-c4mq9q","kind":"pods"},"code":403}

I don't understand what I need that I don't have, since it looks like it should be "list pods", because here's my RBAC Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: 2019-03-20T18:37:53Z
  name: dask
  namespace: nublado
  resourceVersion: "955"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/nublado/roles/dask
  uid: 4586ccf1-4b3f-11e9-9204-42010a800055
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - create
  - delete
@Techn0logic

This comment has been minimized.

Copy link

@Techn0logic Techn0logic commented Oct 3, 2019

I'm running into issues as well, and looking through how to define these properly just now

Binding it to service-reader works for me

kubectl create clusterrolebinding service-reader-pod \
  --clusterrole=service-reader  \
  --serviceaccount=default:default

but binding to a custom service-account doesn't

Trying to figure out why

@jacobtomlinson jacobtomlinson added the bug label Oct 3, 2019
@jacobtomlinson

This comment has been minimized.

Copy link
Member

@jacobtomlinson jacobtomlinson commented Oct 14, 2019

Are you still facing these issues?

A quick look again at your issue shows the error states you do not have permissions in nublado-athornton and your RBAC config os giving you permission to nublado. Which makes sense why you are getting the error.

Could you try granting permissions to nublado-athornton and trying again?

@athornton

This comment has been minimized.

Copy link
Contributor Author

@athornton athornton commented Oct 14, 2019

Turns out pods need "get" and "watch" as well, and "pods/log" need all five too.

With those changes it's working. I'll close this.

@athornton athornton closed this Oct 14, 2019
@jacobtomlinson jacobtomlinson changed the title RBAC changes? Document RBAC requirements Oct 15, 2019
@jacobtomlinson

This comment has been minimized.

Copy link
Member

@jacobtomlinson jacobtomlinson commented Oct 15, 2019

Ah thanks for checking that. We really should cover this in the documentation. I'm going to re-open this until we have correctly documented things.

To create workers you need the following permissions

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: daskKubernetes
rules:
- apiGroups: 
  - ""  # indicates the core API group
  resources: 
  - "pods"
  verbs: 
  - "get"
  - "list"
  - "watch"
  - "create"
  - "delete"
- apiGroups: 
  - ""  # indicates the core API group
  resources: 
  - "pods/log"
  verbs: 
  - "get"
  - "list"

For the new remote scheduler functionality you also need

- apiGroups: 
  - "" # indicates the core API group
  resources: 
  - "services"
  verbs: 
  - "get"
  - "list"
  - "watch"
  - "create"
  - "delete"

We should add this to the documentation. @athornton do you have any interest in contributing this?

@athornton

This comment has been minimized.

Copy link
Contributor Author

@athornton athornton commented Oct 15, 2019

Sure. I may not get to it today, but I can certainly do it this week.

@athornton

This comment has been minimized.

Copy link
Contributor Author

@athornton athornton commented Oct 15, 2019

Something like #190 ?

@jacobtomlinson

This comment has been minimized.

Copy link
Member

@jacobtomlinson jacobtomlinson commented Oct 16, 2019

Perfect thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.