VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account

[TheFrogPad]

See https://github.com/kubernetes-client/java/blob/master/kubernetes/src/main/java/io/kubernetes/client/apis/VersionApi.java

Issue:

VersionApi.getCodeCall() uses /version/ when calling apiClient.buildCall() at line 102.

If you bind the ClusterRole system:discovery to a service account when RBAC is enabled the call fails with HTTP 403

Workaround:

kubectl create clusterrole get-versionresources --verb=get --non-resource-url='/version/*'
kubectl create clusterrolebinding get-versionresources-binding --clusterrole=get-versionresources --serviceaccount=mynamespace:myaccount

[brendandburns]

oops, didn't mean to close this...

[brendandburns]

I've sent a PR to upstream Kubernetes to add this permission to the system:discovery role.

[TheFrogPad]

Great! I had wondered if the system:discovery role might need a change but wasn't sure.

So when I did a search on kubernetes.io I did not seem to find information on the non-resource URLs. Can you provide a reference to the spec about non-resource URLs that you have referenced here for the version?

Thanks

[brendandburns]

https://github.com/kubernetes/kubernetes/tree/master/API/openapi/swagger.json (That's from memory, there might be some typos in the URL but if will get you close...)

…

--brendan

________________________________ From: Craig Perez <notifications@github.com> Sent: Tuesday, December 19, 2017 5:57:39 AM To: kubernetes-client/java Cc: Brendan Burns; State change Subject: Re: [kubernetes-client/java] VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account (#153) Great! I had wondered if the system:discovery role might need a change but wasn't sure. So when I did a search on kubernetes.io<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Fsearch%2F&data=02%7C01%7Cbburns%40microsoft.com%7Cef306076fdd44a82bada08d546e87839%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492886617422734&sdata=btYuD325Fseeq6rjRAHDLLjlgEhznfKFjrL51%2FQqbik%3D&reserved=0> I did not seem to find information on the non-resource URLs. Can you provide a reference to the spec about non-resource URLs that you have referenced here for the version? Thanks — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes-client%2Fjava%2Fissues%2F153%23issuecomment-352759160&data=02%7C01%7Cbburns%40microsoft.com%7Cef306076fdd44a82bada08d546e87839%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492886617422734&sdata=HKwgcsOdIVFYOpelopG4ZyimSkH61GxUhEUm3G7LszE%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFfDgtuodzZDCxfzBPGrSCXABJOAf8B4ks5tB8DTgaJpZM4REFWR&data=02%7C01%7Cbburns%40microsoft.com%7Cef306076fdd44a82bada08d546e87839%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492886617422734&sdata=N%2F1%2FEbhSjfiE6ZKbyXpXLgEbKgR9wYg%2Fn7ZYku4viBU%3D&reserved=0>.

[TheFrogPad]

Okay, I was just looking around in the repo and the path should be https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json

I noticed when looking in API folder there is also https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/version.json which has no trailing slash.

Thanks again for the help...

[brendandburns]

Oh, that inconsistency is super bad. The OpenAPI is the "new" spec... the swagger 1.2 will be deprecated soon.

…

--brendan

________________________________________ From: Craig Perez <notifications@github.com> Sent: Tuesday, December 19, 2017 6:15 AM To: kubernetes-client/java Cc: Brendan Burns; State change Subject: Re: [kubernetes-client/java] VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account (#153) Okay, I was just looking around in the repo and the path should be https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fblob%2Fmaster%2Fapi%2Fopenapi-spec%2Fswagger.json&data=02%7C01%7Cbburns%40microsoft.com%7C1a05c8c8fbec4a3e297d08d546eafbc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492897419548188&sdata=VocKCm3wE7Hq3goiJWf4CFvNh5KbJJhH8LcGm%2FcGQDA%3D&reserved=0> I noticed when looking in API folder there is also https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/version.json<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fblob%2Fmaster%2Fapi%2Fswagger-spec%2Fversion.json&data=02%7C01%7Cbburns%40microsoft.com%7C1a05c8c8fbec4a3e297d08d546eafbc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492897419548188&sdata=7OSUjwYwdtmJEnvBrFe0%2B8ioXO6S7KF1ZaXg1RegqSU%3D&reserved=0> which has no trailing slash. Thanks again for the help... — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes-client%2Fjava%2Fissues%2F153%23issuecomment-352765320&data=02%7C01%7Cbburns%40microsoft.com%7C1a05c8c8fbec4a3e297d08d546eafbc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492897419548188&sdata=BevSd5ZYjofVXMPDRgeJzqW6D%2BGMDCRnRisgJ9FRVmE%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFfDggDCswD6woQ_3GlltVaNur0eQqKYks5tB8ULgaJpZM4REFWR&data=02%7C01%7Cbburns%40microsoft.com%7C1a05c8c8fbec4a3e297d08d546eafbc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636492897419548188&sdata=%2FtMsqFQqzT6aCv07pg5kMtoGfGnqnyLC3MhC%2BcEOOzY%3D&reserved=0>.

[liggitt]

I wouldn't expect the openapi spec to have a trailing slash

[brendandburns]

@liggitt

Well, it's there:
https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json
Sadly the swagger is too huge for me to direct link via github, but search for '/version/'

@mbohlool any idea why the trailing slash is there?

[brendandburns]

I'm closing this, since the change is merged into upstream Kubernetes, and there's not much more we can do here unless the openapi spec changes.