kubernetes rbac rules not enforced

[nicks]

• [ x] I have tried with the latest version of my channel (Stable or Edge)

Steps to reproduce the behavior

1. Enable Kubernetes
2. Create a Namespace, a ServiceAccount, and a Role restricted to a namespace - as described here:
   https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
3. Change the kubecontext to use the service account (as described in the above blog post)
4. Try to get all pods

Expected behavior

Expected behavior: Kubernetes should deny access

Actual behavior

Kubernetes allows access

Information

This works correctly with all other Kubernetes clusters I've tried, just not the one packaged with DockerForMac. Is there any chance you've disabled RBAC somehow?

I'm happy to write up a more complete bash script to reproduce the issue, but wanted to make sure this wasn't a known issue.

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false

[guillaumerose]

When we first added k8s inside Docker Desktop, we added a rule to promote all service accounts to be cluster admin. It helps people who install helm to start easily and to forget security. Maybe it's time to remove it (or at least make it optional).

Can you try to delete the ClusterRoleBinding named docker-for-desktop-binding and see if it works ?

Thanks

[nicks]

wow, thanks! confirmed that deleting this binding fixes the issue.

[guillaumerose]

In the last stable and edge, we changed the rule to only affect the kube-system namespace. Let me know if it's still disturbing.

[pluckhuang]

hello, if i want to restore the clusterrolebindings docker-for-desktop-binding, what is the spec?

[GillesTourreau]

@pluckhuang if you want to restore the docker-for-desktop-binding binding, just re-apply the following YAML configuration :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: docker-for-desktop-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
  namespace: kube-system

[rnsv]

In the last stable and edge, we changed the rule to only affect the kube-system namespace. Let me know if it's still disturbing.

The problem still exists in Docker for desktop version: 2.2.0.5(43884)
The Group name needs to be defined as

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:kube-system

and not

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
  namespace: kube-system

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked