RBAC not working as expected when trying to lock namespace











up vote
1
down vote

favorite












I'm trying to lock down a namespace in kubernetes using RBAC so I followed this tutorial.

I'm working on a baremetal cluster (no minikube, no cloud provider) and installed kubernetes using Ansible.



I created the folowing namespace :



apiVersion: v1
kind: Namespace
metadata:
name: lockdown


Service account :



apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-lockdown
namespace: lockdown


Role :



kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lockdown
rules:
- apiGroups: [""] # "" indicates the core API group
resources: [""]
verbs: [""]


RoleBinding :



apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rb-lockdown
subjects:
- kind: ServiceAccount
name: sa-lockdown
roleRef:
kind: Role
name: lockdown
apiGroup: rbac.authorization.k8s.io


And finally I tested the authorization using the next command



kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown


This SHOULD be returning "No" but I got "Yes" :-(



What am I doing wrong ?

Thx










share|improve this question


























    up vote
    1
    down vote

    favorite












    I'm trying to lock down a namespace in kubernetes using RBAC so I followed this tutorial.

    I'm working on a baremetal cluster (no minikube, no cloud provider) and installed kubernetes using Ansible.



    I created the folowing namespace :



    apiVersion: v1
    kind: Namespace
    metadata:
    name: lockdown


    Service account :



    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: sa-lockdown
    namespace: lockdown


    Role :



    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: lockdown
    rules:
    - apiGroups: [""] # "" indicates the core API group
    resources: [""]
    verbs: [""]


    RoleBinding :



    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: rb-lockdown
    subjects:
    - kind: ServiceAccount
    name: sa-lockdown
    roleRef:
    kind: Role
    name: lockdown
    apiGroup: rbac.authorization.k8s.io


    And finally I tested the authorization using the next command



    kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown


    This SHOULD be returning "No" but I got "Yes" :-(



    What am I doing wrong ?

    Thx










    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm trying to lock down a namespace in kubernetes using RBAC so I followed this tutorial.

      I'm working on a baremetal cluster (no minikube, no cloud provider) and installed kubernetes using Ansible.



      I created the folowing namespace :



      apiVersion: v1
      kind: Namespace
      metadata:
      name: lockdown


      Service account :



      apiVersion: v1
      kind: ServiceAccount
      metadata:
      name: sa-lockdown
      namespace: lockdown


      Role :



      kind: Role
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: lockdown
      rules:
      - apiGroups: [""] # "" indicates the core API group
      resources: [""]
      verbs: [""]


      RoleBinding :



      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
      name: rb-lockdown
      subjects:
      - kind: ServiceAccount
      name: sa-lockdown
      roleRef:
      kind: Role
      name: lockdown
      apiGroup: rbac.authorization.k8s.io


      And finally I tested the authorization using the next command



      kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown


      This SHOULD be returning "No" but I got "Yes" :-(



      What am I doing wrong ?

      Thx










      share|improve this question













      I'm trying to lock down a namespace in kubernetes using RBAC so I followed this tutorial.

      I'm working on a baremetal cluster (no minikube, no cloud provider) and installed kubernetes using Ansible.



      I created the folowing namespace :



      apiVersion: v1
      kind: Namespace
      metadata:
      name: lockdown


      Service account :



      apiVersion: v1
      kind: ServiceAccount
      metadata:
      name: sa-lockdown
      namespace: lockdown


      Role :



      kind: Role
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: lockdown
      rules:
      - apiGroups: [""] # "" indicates the core API group
      resources: [""]
      verbs: [""]


      RoleBinding :



      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
      name: rb-lockdown
      subjects:
      - kind: ServiceAccount
      name: sa-lockdown
      roleRef:
      kind: Role
      name: lockdown
      apiGroup: rbac.authorization.k8s.io


      And finally I tested the authorization using the next command



      kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown


      This SHOULD be returning "No" but I got "Yes" :-(



      What am I doing wrong ?

      Thx







      kubernetes roles kubectl rbac






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 19 at 16:21









      Doctor

      8011126




      8011126
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote













          A couple possibilities:




          1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.

          2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles






          share|improve this answer





















          • Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
            – Doctor
            Nov 20 at 16:22


















          up vote
          1
          down vote



          accepted










          I finally found what was the problem.



          The role and rolebinding must be created inside the targeted namespace.



          I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.



          kind: Role
          apiVersion: rbac.authorization.k8s.io/v1
          metadata:
          name: lockdown
          namespace: lockdown
          rules:
          - apiGroups:
          - ""
          resources:
          - pods
          verbs:
          - get
          - watch
          - list
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: RoleBinding
          metadata:
          name: rb-lockdown
          namespace: lockdown
          subjects:
          - kind: ServiceAccount
          name: sa-lockdown
          roleRef:
          kind: Role
          name: lockdown
          apiGroup: rbac.authorization.k8s.io


          In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.





          Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.



          On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.





          You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53378787%2frbac-not-working-as-expected-when-trying-to-lock-namespace%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            A couple possibilities:




            1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.

            2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles






            share|improve this answer





















            • Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
              – Doctor
              Nov 20 at 16:22















            up vote
            1
            down vote













            A couple possibilities:




            1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.

            2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles






            share|improve this answer





















            • Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
              – Doctor
              Nov 20 at 16:22













            up vote
            1
            down vote










            up vote
            1
            down vote









            A couple possibilities:




            1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.

            2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles






            share|improve this answer












            A couple possibilities:




            1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.

            2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 20 at 0:34









            Jordan Liggitt

            6,7612522




            6,7612522












            • Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
              – Doctor
              Nov 20 at 16:22


















            • Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
              – Doctor
              Nov 20 at 16:22
















            Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
            – Doctor
            Nov 20 at 16:22




            Thanks for your answer ! Unfortunatly my cluster died :-( - I'll need more time to test this solution !
            – Doctor
            Nov 20 at 16:22












            up vote
            1
            down vote



            accepted










            I finally found what was the problem.



            The role and rolebinding must be created inside the targeted namespace.



            I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.



            kind: Role
            apiVersion: rbac.authorization.k8s.io/v1
            metadata:
            name: lockdown
            namespace: lockdown
            rules:
            - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - watch
            - list
            ---
            apiVersion: rbac.authorization.k8s.io/v1
            kind: RoleBinding
            metadata:
            name: rb-lockdown
            namespace: lockdown
            subjects:
            - kind: ServiceAccount
            name: sa-lockdown
            roleRef:
            kind: Role
            name: lockdown
            apiGroup: rbac.authorization.k8s.io


            In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.





            Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.



            On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.





            You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.






            share|improve this answer



























              up vote
              1
              down vote



              accepted










              I finally found what was the problem.



              The role and rolebinding must be created inside the targeted namespace.



              I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.



              kind: Role
              apiVersion: rbac.authorization.k8s.io/v1
              metadata:
              name: lockdown
              namespace: lockdown
              rules:
              - apiGroups:
              - ""
              resources:
              - pods
              verbs:
              - get
              - watch
              - list
              ---
              apiVersion: rbac.authorization.k8s.io/v1
              kind: RoleBinding
              metadata:
              name: rb-lockdown
              namespace: lockdown
              subjects:
              - kind: ServiceAccount
              name: sa-lockdown
              roleRef:
              kind: Role
              name: lockdown
              apiGroup: rbac.authorization.k8s.io


              In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.





              Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.



              On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.





              You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.






              share|improve this answer

























                up vote
                1
                down vote



                accepted







                up vote
                1
                down vote



                accepted






                I finally found what was the problem.



                The role and rolebinding must be created inside the targeted namespace.



                I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.



                kind: Role
                apiVersion: rbac.authorization.k8s.io/v1
                metadata:
                name: lockdown
                namespace: lockdown
                rules:
                - apiGroups:
                - ""
                resources:
                - pods
                verbs:
                - get
                - watch
                - list
                ---
                apiVersion: rbac.authorization.k8s.io/v1
                kind: RoleBinding
                metadata:
                name: rb-lockdown
                namespace: lockdown
                subjects:
                - kind: ServiceAccount
                name: sa-lockdown
                roleRef:
                kind: Role
                name: lockdown
                apiGroup: rbac.authorization.k8s.io


                In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.





                Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.



                On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.





                You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.






                share|improve this answer














                I finally found what was the problem.



                The role and rolebinding must be created inside the targeted namespace.



                I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.



                kind: Role
                apiVersion: rbac.authorization.k8s.io/v1
                metadata:
                name: lockdown
                namespace: lockdown
                rules:
                - apiGroups:
                - ""
                resources:
                - pods
                verbs:
                - get
                - watch
                - list
                ---
                apiVersion: rbac.authorization.k8s.io/v1
                kind: RoleBinding
                metadata:
                name: rb-lockdown
                namespace: lockdown
                subjects:
                - kind: ServiceAccount
                name: sa-lockdown
                roleRef:
                kind: Role
                name: lockdown
                apiGroup: rbac.authorization.k8s.io


                In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.





                Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.



                On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.





                You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 26 at 10:27

























                answered Nov 22 at 14:02









                Doctor

                8011126




                8011126






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53378787%2frbac-not-working-as-expected-when-trying-to-lock-namespace%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?