read-only account

[jobace78]

Hi,

I'm trying to login with a read-only account into k8dash with no success.

Steps to reproduce:

1.- create ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8dash-cluster-reader
  namespace: default

2.- create ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: [
    "get",
    "list",
    "proxy",
    "redirect",
    "watch"
  ]
- nonResourceURLs: ["*"]
  verbs: ["get"]

3.- create ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8dash-cluster-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- kind: ServiceAccount
  name: k8dash-cluster-reader
  namespace: default

If I modify the ClusterRole verbs by verbs: ["*"] I'm able to login, and if I replace the ClusterRole definition with this ClusterRole definition while I'm logged, everything works as expected, so I think the problem could be the login check...

Any suggestions?

Thanks in advance,
Joan

[herbrandson]

@jobace78 Thanks for reporting this! I suspect you're right about the issue being the login check. Could you try logging in again using the failing use case and check the networking tab in the developer tools to verify which api call is failing? If you're correct and we can verify that it's the selfsubjectaccessreviews call, I think this should be fairly easy to fix.

[jobace78]

@herbrandson Yes, it's the selfsubjectaccessreviews (/apis/authorization.k8s.io/v1/selfsubjectaccessreviews). It's returning a 201 code. Thanks !!!

[herbrandson]

Just to be clear, did you mean it's returning a 201 or a 401?

[jobace78]

Sure, 201 (Created)

[herbrandson]

Interesting. 201 should indicate a success. Any chance you could post the response body? Also, are there any other api calls that are failing? I was kinda expecting to see something with a 403

[jobace78]

Hi,

This is the header response:

HTTP/2.0 201 Created
server: nginx/1.15.10
date: Thu, 02 May 2019 07:44:41 GMT
content-type: application/json
content-length: 231
strict-transport-security: max-age=15724800; includeSubDomains
X-Firefox-Spdy: h2

This is the response:

{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null
  },
  "spec": {
    "resourceAttributes": {
      
    }
  },
  "status": {
    "allowed": false
  }
}

No, this is the only api call I'm able to see.

Thanks

[herbrandson]

Thanks so much for the additional @jobace78. That's really helpful. I have a suspicion about what's going on now. The /apis/authorization.k8s.io/v1/selfsubjectaccessreviews api call is a POST and the cluster role you have doesn't allow POST calls. Would it be possible to temporarily modify that role to allow POST's to that one endpoint? I'd like to verify that resolves the issue. If so, I think I can address that issue fairly easily.

To be totally honest, I haven't really tested w/ a read-only account. I really hope this change gets things working for you. I've added a TODO to my list to do some testing w/ a variety of permission combinations. In the mean time, please let me know about any other issues you run into and I'll do my best to resolve them ASAP.

Thanks again for the help in chasing this one down!

[linuxshokunin]

FYI

I tested it as well but only cluster-admin role can access POST selfsubjectaccessreviews.
My cluster is installed with kubeadm. There are 4 clusterroles, cluster-admin, admin, edit, view by default.
cluster-admin has '*' for all.
Even admin is not allowed to post selfsubjectaccessreviews.

This is what clusterrole admin is.

rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - localsubjectaccessreviews
  verbs:
  - create
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

[herbrandson]

Interesting. So I only see this section in that role for authorization.k8s.io...

- apiGroups:
  - authorization.k8s.io
  resources:
  - localsubjectaccessreviews
  verbs:
  - create

So I guess it makes sense that admin would also fail. I suspect that adding - selfsubjectaccessreviews under resources would get it working for the time being.

I think I have an idea about how to resolve this so that messing w/ roles wouldn't be required. However, it's going to be at least the weekend before I can get to it (...got family in town this week).

[jobace78]

Hi,

I've tried allowing all verbs into nonResourceURLs with no sucess :-(

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - get
  - list
  - proxy
  - redirect
  - watch
- nonResourceURLs:
  - "*"
  verbs:
  - "*"

[jobace78]

FYI

I've tried with this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - create
  # - delete
  # - deletecollection
  - get
  - list
  # - patch
  - proxy
  - redirect
  # - replace
  # - update
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - "*"
  verbs:
  - "*"
- nonResourceURLs:
  - "*"
  verbs:
  # - get
  # - post
  - "*"

Unfortunately same error :-(

Also, there is no hurry, so even next week will be more than ok :-)

Thanks

[herbrandson]

Great. Thanks for the additional info and for your patience. I'll let you know when I've made some progress.

[herbrandson]

Hey @jobace78. Just wanted to give you a quick status update. I've been making some good progress. I found last evening the this role works...

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-temp
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
  -
    verbs:
      - '*'
    apiGroups:
      - ""
    resources:
      - '*'

...but this one doesn't...

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-temp
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
    resources:
      - bindings
      - configmaps
      - endpoints
      - events
      - limitranges
      - namespaces
      - namespaces/status
      - persistentvolumeclaims
      - pods
      - pods/attach
      - pods/exec
      - pods/log
      - pods/portforward
      - pods/proxy
      - pods/status
      - replicationcontrollers
      - replicationcontrollers/scale
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
      - secrets
      - serviceaccounts
      - services
      - services/proxy

This doesn't completely make sense to me though because neither of these include the authorization.k8s.io api group. I'm going to try to get some help on the "#kubernetes-security" slack channel to figure out what permission might be needed for this to work.

Thanks again for your patience.

[jobace78]

Hi @herbrandson, let me know if you need I test something else or whatever.

Thanks to you :-)

[herbrandson]

Thanks so much for offering @jobace78. It's people like you that make working on open source awesome :)

I should have something ready for an initial test by EOD. I'll keep you posted.

[herbrandson]

@jobace78 I've pushed an update that I'm hoping you can test out for me. It's available at under the "dev" label at herbrandson/k8dash:dev. This is only a first step, but it should at least resolve a couple of the core issues here.

The Good:

• The roles "cluster-admin", "admin" and "edit" should all work as expected
• The read-only role should be able to login and successfully view everything

The Bad:

• The read-only role will still be able to see and "click" the edit buttons through-out the app (but an error will be displayed if any actual updates are attempted)
• Any role that doesn't support at least "list" permissions on the "namespace" resource will not work
• The UI does not yet "hide" menu items that the current user does not have permissions to view
• When attempting to view a resource the current user does not have permissions to view, the UI will currently appear stuck in a "loading" state
• No work has been put into accounts that only have permissions to a single namespace yet

Anyhow, more progress to come soon. But, I think this at least gets the main issue you are experiencing into a workable state. Let me know how it goes.

[jobace78]

@herbrandson I'm testing the herbrandson/k8dash:dev release with this role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - create
  # - delete
  # - deletecollection
  - get
  - list
  # - patch
  - proxy
  - redirect
  # - replace
  # - update
  - watch
- nonResourceURLs:
  - "*"
  verbs:
  - "*"

As you said, everything is working fine :-)

Next month (I'm pretty busy right now) I'll begin to test "restricted" users (reader over one namespace and admin over other namespace for example).

I'll keep you posted. Thanks for your amazing work !!!

[xakraz]

Hello 👋 !
Any update on the topic?

[Anfesave]

We really need a update in this topic 😢

[mkyc]

Hi @herbrandson thanks for this is promising project! Can you say if what is discussed in this issue is released? I'd like to use this UI but in read-only mode or maybe with r:pod v:delete option and I'm not sure if that is even possible now before I start tests.