Skip to content

Fix not finding ClusterRoleBinding or RoleBinding for service accounts#550

Merged
tomleb merged 1 commit into
rancher:mainfrom
tomleb:fix-service-account
Mar 14, 2025
Merged

Fix not finding ClusterRoleBinding or RoleBinding for service accounts#550
tomleb merged 1 commit into
rancher:mainfrom
tomleb:fix-service-account

Conversation

@tomleb

@tomleb tomleb commented Mar 14, 2025

Copy link
Copy Markdown
Contributor

Issue rancher/rancher#49404

Steve caches privileges of users to avoid making SAR request to kube-apiserver. Makes privilege check available via the AccessSetLookup (ASL) interface. That's used in Steve and it's now also used in the extension API server (and given to the stores).

Debugging showed that the ASL doesn't see this cluster-admin being bound to this service account. The issue is that we're not constructing the correct full name of the service account here. So when doing the lookup, we check for system:serviceaccount:cattle-system:rancher but when populating this ASL we add an index for serviceaccount:cattle-system:rancher. Those don't match so cluster-admin does not get added to this SA's privileges.

I'm fairly confident that this won't cause regression because I've never seen a service account without the system: prefix.

@tomleb tomleb requested a review from a team as a code owner March 14, 2025 13:03
@tomleb tomleb mentioned this pull request Mar 14, 2025
Merged
@tomleb tomleb merged commit b29f7d5 into rancher:main Mar 14, 2025
@tomleb tomleb deleted the fix-service-account branch March 14, 2025 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshmeranda joshmeranda joshmeranda approved these changes

@gehrkefc gehrkefc gehrkefc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomleb @joshmeranda @gehrkefc