Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account #153

Closed
TheFrogPad opened this issue Dec 15, 2017 · 9 comments
Closed

VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account #153

TheFrogPad opened this issue Dec 15, 2017 · 9 comments

Comments

@TheFrogPad
Copy link

See https://github.com/kubernetes-client/java/blob/master/kubernetes/src/main/java/io/kubernetes/client/apis/VersionApi.java

Issue:

VersionApi.getCodeCall() uses /version/ when calling apiClient.buildCall() at line 102.

If you bind the ClusterRole system:discovery to a service account when RBAC is enabled the call fails with HTTP 403

Workaround:

kubectl create clusterrole get-versionresources --verb=get --non-resource-url='/version/*'
kubectl create clusterrolebinding get-versionresources-binding --clusterrole=get-versionresources --serviceaccount=mynamespace:myaccount
@brendandburns
Copy link
Contributor

oops, didn't mean to close this...

@brendandburns brendandburns reopened this Dec 18, 2017
@brendandburns brendandburns mentioned this issue Dec 19, 2017
Merged
@brendandburns
Copy link
Contributor

I've sent a PR to upstream Kubernetes to add this permission to the system:discovery role.

@TheFrogPad
Copy link
Author

Great! I had wondered if the system:discovery role might need a change but wasn't sure.

So when I did a search on kubernetes.io I did not seem to find information on the non-resource URLs. Can you provide a reference to the spec about non-resource URLs that you have referenced here for the version?

Thanks

@brendandburns
Copy link
Contributor

brendandburns commented Dec 19, 2017 via email

@TheFrogPad
Copy link
Author

Okay, I was just looking around in the repo and the path should be https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json

I noticed when looking in API folder there is also https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/version.json which has no trailing slash.

Thanks again for the help...

@brendandburns
Copy link
Contributor

brendandburns commented Dec 19, 2017 via email

@liggitt
Copy link

liggitt commented Dec 20, 2017

I wouldn't expect the openapi spec to have a trailing slash

@brendandburns
Copy link
Contributor

@liggitt

Well, it's there:
https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json
Sadly the swagger is too huge for me to direct link via github, but search for '/version/'

@mbohlool any idea why the trailing slash is there?

k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Dec 20, 2017
Merge pull request #57368 from brendandburns/version
c13a2ab 
Automatic merge from submit-queue (batch tested with PRs 57349, 57368). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add '/version/' to the system:discovery role, since that's what the spec says.

See: kubernetes-client/java#153

```release-note
Add the path '/version/' to the `system:discovery` cluster role.
```
@brendandburns
Copy link
Contributor

I'm closing this, since the change is merged into upstream Kubernetes, and there's not much more we can do here unless the openapi spec changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liggitt @brendandburns @TheFrogPad