Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC Authentication for embedded etcd #10303

Closed
philippfriese opened this issue Jun 6, 2024 · 1 comment
Closed

RBAC Authentication for embedded etcd #10303

philippfriese opened this issue Jun 6, 2024 · 1 comment

Comments

@philippfriese
Copy link

Environmental Info:
K3s Version: v1.29.3+k3s1 (8aecc26)

Node(s) CPU architecture, OS, and Version:
Linux i10se12 5.14.21-150500.55.59-default #1 SMP PREEMPT_DYNAMIC Thu Apr 18 12:59:33 UTC 2024 (e8ae24a) aarch64 aarch64 aarch64 GNU/Linux

Cluster Configuration:
one server, one agent

Describe the bug:
Etcd3 supports role-based access control. Upon enabling authentication, k3s throws "permission denied" errors against etcd and ultimately dies.

Steps To Reproduce:
k3s is installed via the k3s binary. No datastore configurations are used, i.e. the embedded etcd is used.
Enable etcd authentication via:

$ etcdctl $PARAMS auth enable

Expected behavior:
Enabling RBAC authentication and being able to still use k3s or configure it to work.

Actual behavior:
K3s throws "permission denied" errors against etcd and ultimately dies. A snapshot from before enabling RBAC has to be loaded in order to revive the system.

Additional context / logs:
Debug journal logs:

Jun 06 16:04:46 i10se12 k3s-arm64[91813]: {"level":"info","ts":"2024-06-06T16:04:46.864101+0200","caller":"auth/store.go:257","msg":"enabled authentication"}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: {"level":"error","ts":"2024-06-06T16:04:47.323434+0200","caller":"auth/store.go:866","msg":"cannot find a user for permission check","user-name":"etcd-client","stacktrace":[...]}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: {"level":"error","ts":"2024-06-06T16:04:47.548493+0200","caller":"auth/store.go:866","msg":"cannot find a user for permission check","user-name":"etcd-client","stacktrace":[...]}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: E0606 16:04:47.548908   91813 status.go:71] apiserver received an error that is not an metav1.Status: rpctypes.EtcdError{code:0x7, desc:"etcdserver: permission denied"}: etcdserver: permission denied
[...]

The goal of enabling RBAC is to create a new etcd role & user which governs a custom prefix for application-specific tasks. The application using fields behind that prefix should not have access to the whole etcd keyrange, but just to its own keyrange, hence the dedicated role.
Is there a way to achieve such a setup with k3s + embedded etcd?

@brandond
Copy link
Member

brandond commented Jun 6, 2024

No. Also, it is not supported to use the managed etcd datastore for things other than the k3s apiserver. If you want an etcd store to use for your application, stand up a separate etcd cluster for that specific use.

@brandond brandond closed this as completed Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

No branches or pull requests

2 participants