Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubernetes rbac rules not enforced #3694

Closed
nicks opened this issue May 31, 2019 · 3 comments

Comments

@nicks
Copy link

commented May 31, 2019

  • [ x] I have tried with the latest version of my channel (Stable or Edge)

Steps to reproduce the behavior

  1. Enable Kubernetes
  2. Create a Namespace, a ServiceAccount, and a Role restricted to a namespace - as described here:
    https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
  3. Change the kubecontext to use the service account (as described in the above blog post)
  4. Try to get all pods

Expected behavior

Expected behavior: Kubernetes should deny access

Actual behavior

Kubernetes allows access

Information

This works correctly with all other Kubernetes clusters I've tried, just not the one packaged with DockerForMac. Is there any chance you've disabled RBAC somehow?

I'm happy to write up a more complete bash script to reproduce the issue, but wanted to make sure this wasn't a known issue.

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false
@guillaumerose

This comment has been minimized.

Copy link
Member

commented Jun 3, 2019

When we first added k8s inside Docker Desktop, we added a rule to promote all service accounts to be cluster admin. It helps people who install helm to start easily and to forget security. Maybe it's time to remove it (or at least make it optional).

Can you try to delete the ClusterRoleBinding named docker-for-desktop-binding and see if it works ?

Thanks

@guillaumerose guillaumerose self-assigned this Jun 3, 2019

@nicks

This comment has been minimized.

Copy link
Author

commented Jun 4, 2019

wow, thanks! confirmed that deleting this binding fixes the issue.

@guillaumerose

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

In the last stable and edge, we changed the rule to only affect the kube-system namespace. Let me know if it's still disturbing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.