New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GKE MasterAuth clientCertificate has no permissions on Create #65400
Comments
/sig auth |
@lukeweber did you end up finding a solution for this? I've just upgraded to 1.11 and noticed this behaviour (which I believe didn't happen back in 1.9) context here is I'm trying to get an uninterrupted terraform provisioning script, right now after provisioning the GKE cluster I need to stop the terraform script and manually bind
|
I'm facing the same issue. Why was this closed and how can I work around it? |
So per recommendation, I did post on the kubernetes engine bug tracker and it became this private issue: https://issuetracker.google.com/u/1/issues/111101728, feel free to reference it. In a nutshell, the client cert has CN=client encoded and client user doesn't have any permissions. If you use masterAuth username/password (basic auth), then you can apply the yaml. kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: client-binding
subjects:
- kind: User
name: client
roleRef:
kind: ClusterRole
name: "cluster-admin"
apiGroup: rbac.authorization.k8s.io Which will give the user on the cert admin permissions. Additionally, to remove basic auth you can set the username="" in the api, but this will cause a reboot which will take 5 more minutes to do a master switch. |
This was hard to find: https://www.terraform.io/docs/providers/google/d/datasource_client_config.html I'm not sure if that solves your problem, but, this was the bit I needed for authorization w/o client cert or master auth. I'm leaving it here in case it helps someone else.
crosslink to other somewhat relevant issue: Shippable/support#4667 |
Hi Thanks for the catch, I was going nuts with it. Not sure if the token workaround should be used when giving the creds to other people. |
/kind bug
What happened:
When provisioning a GKE cluster with google-api-go-client, the MasterAuth client certificate is set to Subject: CN=client. When I try to use the MasterAuth certs to connect to the cluster it says client has no permissions.
If I use gclient to get other credentials, I can modify RBAC to fix this with the following code:
What you expected to happen:
I would expect that "client" would have admin permissions on the cluster similar to basic auth which has full admin, or that the cert would simply be an admin cert(Subject: CN=admin) or that subject common name could be configurable on cluster create via the api so users could choose.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
As an example basic auth gives you admin user, but the more secure certs gives you a user with no permissions.
Environment:
kubectl version
): 1.10.4-gke.2uname -a
):The text was updated successfully, but these errors were encountered: