New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need a deployment config for kubernetes with RBAC #1347

Closed
turchanov opened this Issue May 26, 2017 · 5 comments

Comments

Projects
None yet
6 participants
@turchanov

turchanov commented May 26, 2017

Linkerd cannot retrieve endpoint list when deployed on kubernetes 1.6 using deployment configs as instructed https://linkerd.io/getting-started/k8s/ or https://linkerd.io/getting-started/k8s-daemonset/. This happends due to RBAC being turned on by default for kubernetes 1.6.

I circuvmented RBAC by permitting everything to default ServiceAccount used to run linkerd pod (see below).

We need a deployment config for kubernetes with RBAC with fine-grained Role (or ClusterRole? I am not an expert on Kubernetes).

If anyone needs the stack trace thown by linkerd, it is here #1344.

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: linkerd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: linkerd-allow-all
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: linkerd-allow-all
rules:
  - apiGroups: [""]
    resources:
      - '*'
    verbs:
      - '*'
@adleong

This comment has been minimized.

Member

adleong commented Jun 6, 2017

I believe linkerd can get away with much more restrictive permissions than the ones granted above. It should only need read and watch permissions on the endpoints, namespaces, and services APIs.

Thanks for the issue, we'll definitely put something together.

@adleong adleong added this to Short-Term in Linkerd Roadmap Jun 6, 2017

@ethanrubio

This comment has been minimized.

ethanrubio commented Jul 9, 2017

I'm also running into issues with namerd trying to get the dtabs.l5d.io from the thirdpartyresource found here.

io.buoyant.k8s.Api$UnexpectedResponse: Response("HTTP/1.1 Status(403)"): User "system:serviceaccount:default:default" cannot list dtabs.l5d.io in the namespace "default".
	at io.buoyant.k8s.Api$.parse(Api.scala:72)
	at io.buoyant.k8s.ListResource.$anonfun$get$2(resources.scala:136)
	at com.twitter.util.Future.$anonfun$flatMap$1(Future.scala:1089)
	at com.twitter.util.Promise$Transformer.liftedTree1$1(Promise.scala:107)
	at com.twitter.util.Promise$Transformer.k(Promise.scala:107)
	at com.twitter.util.Promise$Transformer.apply(Promise.scala:117)
	at com.twitter.util.Promise$Transformer.apply(Promise.scala:98)

I've allowed linkerd and namerd to have all permissions as mentioned above:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: linkerd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: linkerd-allow-all
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: linkerd-allow-all
rules:
  - apiGroups: [""]
    resources:
      - '*'
    verbs:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: namerd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: namerd-allow-all
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: namerd-allow-all
rules:
  - apiGroups: [""]
    resources:
      - '*'
    verbs:
      - '*'

How can I let namerd have permissions to get the dtabs from the third party resource?

@ethanrubio

This comment has been minimized.

ethanrubio commented Jul 10, 2017

A quick update I solved it by doing the following:

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
  name: namerd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
  name: namerctl
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
  name: namerctl-script
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Is there a better way to do this than granting cluster-admin access?

@rmars

This comment has been minimized.

Member

rmars commented Jul 19, 2017

@ethanrubio yeah I think you can do this without granting cluster-admin access. We're working on adding example RBAC configs (see configs at linkerd/linkerd-examples#165 for granting namerd access to the third party resource).

@esbie

This comment has been minimized.

Contributor

esbie commented Jul 31, 2017

@hawkw hawkw added the kubernetes label Aug 2, 2017

@adleong adleong closed this Aug 9, 2017

@adleong adleong removed this from Short-Term in Linkerd Roadmap Aug 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment