Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubectl user for checking RBAC #58385

Closed
maxkondr opened this issue Jan 17, 2018 · 3 comments
Closed

kubectl user for checking RBAC #58385

maxkondr opened this issue Jan 17, 2018 · 3 comments
Assignees
@liggitt
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@maxkondr
Copy link

maxkondr commented Jan 17, 2018
edited

Hi,

Environment:

  • Kubernetes version (use kubectl version): v1.8
  • Cloud provider or hardware configuration: OpenStack
  • OS (e.g. from /etc/os-release): "Container Linux by CoreOS 1576.4.0 (Ladybug)"
  • Kernel (e.g. uname -a): Linux master-1.novalocal 4.13.16-coreos-r2
  • Others: OpenStack floating IP for master node is 192.168.67.107
  • RBAC enabled.

I try to deploy weave-network plugin using cmd:

kubectl apply -f "https://cloud.weave.works/k8s/v1.8/net.yaml"

but get following:

serviceaccount "weave-net" created
clusterrolebinding "weave-net" created
rolebinding "weave-net" created
daemonset "weave-net" created
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io "weave-net" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["networkpolicies"], APIGroups:["networking.k8s.io"], Verbs:["get"]} PolicyRule{Resources:["networkpolicies"], APIGroups:["networking.k8s.io"], Verbs:["list"]} PolicyRule{Resources:["networkpolicies"], APIGroups:["networking.k8s.io"], Verbs:["watch"]}] user=&{192.168.67.107  [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): roles.rbac.authorization.k8s.io "weave-net" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], ResourceNames:["weave-net"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], ResourceNames:["weave-net"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]}] user=&{192.168.67.107  [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]

As you can see it tries to use user=192.168.67.107 instead 'admin' that is configured in local kubectl.

My kubectl config

kubectl config view

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /tmp/CA/kubelet/kubelet-ca.crt
    server: https://192.168.67.107
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    user: admin
  name: default-system
current-context: default-system
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate: /tmp/CA/kubelet/kubelet.crt
    client-key: /tmp/CA/kubelet/kubelet.key

If I grant permissions to user=192.168.67.107 like:

kubectl create clusterrolebinding myname-cluster-admin-binding-1 --clusterrole=cluster-admin --user=192.168.67.107

everything works fine.

Could you please describe why IP is used instead of user?
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 17, 2018
@php-coder
Copy link
Contributor

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 17, 2018
@liggitt
Copy link
Member

liggitt commented Jan 17, 2018

admin is just the name of the stanza in the kubeconfig file. The actual credentials you used were client-certificate: /tmp/CA/kubelet/kubelet.crt.

openssl x509 -in /tmp/CA/kubelet/kubelet.crt -text -noout will show the CN of that cert is 192.168.67.107

/close

@maxkondr
Copy link
Author

maxkondr commented Jan 18, 2018
edited

/open
Could you please list the users that should be mentioned during certificates creation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liggitt liggitt

Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@php-coder @liggitt @maxkondr @k8s-ci-robot