Document how RBAC interacts with kube-system components #29177
Comments
apelisse
added
sig/network
|
Some progress on this: I discovered that the default service account tokens were invalid because the private key for the master components had changed. I had to manually remove the default service accounts and let the system recreate them based on the new private key. This should really be handled better. (Ref #4672, #24928) Now that the service account's token is itself valid, the errors in kube-dns's container changed to this, which looks like authentication is now succeeding but authorization is failing (progress!): I've tried another variation on the subject in the ClusterRoleBinding: - kind: "ServiceAccount"
name: "default"
namespace: "default"And with explicit entries for each namespace currently in use (kube-dns is being deployed to the kube-system namespace): - kind: "ServiceAccount"
name: "default"
namespace: "default"
- kind: "ServiceAccount"
name: "default"
namespace: "kube-system"But the errors are the same with each variation. |
|
cc @ericchiang |
|
@apelisse This issue probably needs an area/auth label. |
|
cc @kubernetes/sig-auth Hey @jimmycuadra thanks for opening this issue. Couple initial points:
- kind: "User"
namespace: "kube-system"
name: "system:serviceaccount:kube-system:default"
|
|
Also note that you can generally find people in #sig-auth or #kubernetes-users channels in the kubernetes slack who might be able to provide more real time feedback. |
|
Thanks, Eric! That is very helpful. I was asking on #sig-auth, but I've been working at night the last couple days so there isn't much activity in there when I'm working. Thanks again for the reply. |
|
I have looked into the RBAC docs, specifically on ClusterRoleBindings. From what I understand in the docs, this bind is used for the whole cluster and not per namespace. For that reason the namespace is omitted from the Objects. kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: read-secrets
**subjects:
- kind: Group # May be "User", "Group" or "ServiceAccount"
name: manager**
roleRef:
kind: ClusterRole
name: secret-reader
apiVersion: rbac.authorization.k8s.io/v1alpha1when trying to create such resource (ClusterRoleBinding) it fails with error
I have tried this with kubernetes version 1.3.4 (server and client) thanks |
|
I have doubled check this, and it only happens when using kind: ServiceAccounts. User seems to work without indicating a namespace. |
ServiceAccounts are namespace scoped subjects, so when you refer to them, you have to specify the namespace of the service account you want to bind. |
|
I can't get it to work with any kind - User, Group, ServiceAccount. Did anyone get it to work? What am i doing wrong? |
|
@dhawal55 if you want to refer to a service account, use a subject like this: if you want to refer to all service accounts in a namespace: and if you want to refer to all service accounts everywhere: |
|
I tried it but still getting Forbidden error when trying to access API from On Aug 28, 2016 8:18 PM, "Jordan Liggitt" notifications@github.com wrote:
|
|
Jordan's comment was so helpful I added it to documentation: |
|
@dhawal55 You should not need to delete pods, service account or secret when you make RBAC changes. The secret contains the toke. whose claims contain the username and the group name, but those should not change over time. If there was a problem with the token, then you would get a 401, not a 403. You can verify your token has the right username using a command like this: You should see |
|
@dhawal55 can you provide details about the API request that is failing? Your example is creating a role binding in the kube-system namespace, which will only grant access to that namespace. If you want to grant the permissions in the referenced role cluster-wide, create a ClusterRoleBinding |
|
@erictune thanks for the tip. @liggitt Yes, that's my issue. I created a role binding which is namespace specific and was referring to cluster-role that gave access to nonResourceURLs which are not namespace specific. I'm splitting my roles so i have a separate clusterRole and clusterRoleBinding for nonResourceURLs. Thank you @deads2k for helping me understand this. |
|
Ugh. You should not have to have a separate role for nonResourceURLs. |
|
separate rule in the same role should work fine |
|
if you want to give namespace-specific permissions, AND cluster-wide non-resource permissions, then two roles and separate bindings make more sense. In openshift, we have roles like this:
|
Yeah, that was what I was thinking should work. |
I don't know how we would do that in Kubernetes since it is aloof about users. I guess we would have a |
We have two groups: How about we discuss it during our ad-hoc today? There are intersections with some work from dims involved in shutting down the insecure port: #31491 |
|
Adding |
|
Hello, kubectl get clusterrole admin-access -o yaml kubectl --namespace=kube-system get rolebinding admin-access -o yaml And still having issues with accessing API 403: Double-checked token... Any suggestions? |
|
Hmmm, |
|
@MaksymBilenko when you have a non-resource URL, it needs to be bound as a ClusterRole, not a Role. This is because non-resource URLs are logically unnamespaced. |
|
Finally sorted this out, I was not attentive enough. Here is working config for kube-system to make plugins working with RBAC for example kube2sky: ClusterRole: ClusterRoleBinding: Hope that would be helpful. @erictune Maybe make sense to add this step to the docs as an example, anyways people would require some plugins like SkyDNS and they might have the same issues |
|
On Fri, Sep 9, 2016, 7:00 AM Maksym Bilenko notifications@github.com
|
|
/cc @kubernetes/huawei |
Automatic merge from submit-queue Allow anonymous API server access, decorate authenticated users with system:authenticated group When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials. This PR: * Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow` * Decorates user.Info returned from configured authenticators with the group `system:authenticated`. This is related to defining a default set of roles and bindings for RBAC (kubernetes/enhancements#2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs. ```release-note kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. Authenticated users are decorated with a 'system:authenticated' group. NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'. ``` c.f. #29177 (comment)
|
I'm experiencing this same issue, but with ABAC rather than RBAC. Was there ever a definitive solution to this problem? Here is the output of my kubedns logs: And here's what my ABAC file looks like: As you can see, I've tried a few different combinations in there. I'm also using a basic auth file and certificates, both of those methods seem to be working fine. However I can't figure out how to authorize the default service account for the kube-system namespace. I've tried deleting and recreating the secret, as was mentioned above. Is there something that I need to change in my ABAC file? |
|
RBAC in 1.6 will include default roles and bindings for components! staging doc link: https://kubernetes-io-vnext-staging.netlify.com/docs/admin/authorization/rbac/#default-clusterroles-and-clusterrolebindings |
|
default roles and bindings are documented at https://kubernetes.io/docs/admin/authorization/rbac/#default-roles-and-role-bindings deployments can set up additional bindings if desired, but these form the baseline |
Automatic merge from submit-queue Allow anonymous API server access, decorate authenticated users with system:authenticated group When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials. This PR: * Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow` * Decorates user.Info returned from configured authenticators with the group `system:authenticated`. This is related to defining a default set of roles and bindings for RBAC (kubernetes/enhancements#2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs. ```release-note kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. Authenticated users are decorated with a 'system:authenticated' group. NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'. ``` c.f. kubernetes/kubernetes#29177 (comment)
In getting my cluster set up with RBAC, I discovered that Kubernetes system components need to be explicitly allowed to access the API just like any other client. I had to add a ClusterRole and ClusterRoleBinding for the kubelet (i.e. the common name in the k8s nodes' client certificate.) Without them, the nodes could not register themselves and begin handling work.
It's also not clear how RBAC affects the default service accounts. I'm trying to deploy kube-dns with this manifest:
and the pod fails to start, showing this in the kube-dns container's logs:
with that error recurring infinitely.
I added this subject to my full access ClusterRoleBinding:
but that didn't fix it.
Documentation for how to bootstrap RBAC so that all Kubernetes's own components work should be added. If someone can add some details here, I can make a PR to the docs website myself.
The text was updated successfully, but these errors were encountered: