Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC policy for watching a single object? #54079

Closed
justinsb opened this issue Oct 17, 2017 · 4 comments
Closed

RBAC policy for watching a single object? #54079

justinsb opened this issue Oct 17, 2017 · 4 comments
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@justinsb
Copy link
Member

justinsb commented Oct 17, 2017
edited

Related to #43299, what is the RBAC policy to lock down watching to a particular object (in my case, a secret)?

I've tried:

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get","watch","list"]
  resourceNames: ["singleton"]

But that gives me "...cannot list secrets..."

It seems to need:

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get","watch","list"]

This is using:

listOpts.FieldSelector = fields.OneTermEqualSelector("metadata.name", c.name).String()
@justinsb
Copy link
Member Author

cc @liggitt

@justinsb justinsb added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Oct 17, 2017
@justinsb justinsb mentioned this issue Oct 17, 2017
Closed
@liggitt
Copy link
Member

liggitt commented Oct 17, 2017

authorization doesn't currently doesn't have the filter attributes on list/watch calls, so those are authorized unscoped to a particular resource name. that applies to all authorizers, not just RBAC

adding support for that is one aspect of #40403

@liggitt liggitt closed this as completed Oct 17, 2017
@debianmaster
Copy link

debianmaster commented Dec 23, 2019
edited

@liggitt now that custom resources are in use extensively , it will be nice to have a built-in solution for filtering custom objects based on k8s native RBAC. any workarounds that you can suggest?

  • Admission controllers [ no get operations supported AFAIK]
  • Pass all the objects in get operations and get only objects to which impersonated user has access to?

@liggitt
Copy link
Member

liggitt commented Apr 23, 2020

watch/list support for single resources was added in #63469 in v1.11

The list/watch requests must set a fieldSelector of metadata.name=$name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justinsb @liggitt @debianmaster