Menu
I am using a x509 authentication for a user in Kubernetes, which works fine. However, while provide access to the deployments does not seem to be working fine, as shown below:
Roles:
# kubectl get rolebindings devops-rb -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-rb
namespace: demo
resourceVersion: "2530329"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/rolebindings/devops-rb
uid: b6c17e28-30fb-11e8-b530-000d3a11bb2f
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: devops
Role Bindings:
# kubectl get roles devops-role -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-role
namespace: demo
resourceVersion: "2538402"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/roles/devops-role
uid: b6bee0fb-30fb-11e8-b530-000d3a11bb2f
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- replicasets
- persistentvolumeclaims
- deployments
verbs:
- get
- list
- watch
Trying to list deployments using user config:
# kubectl --kubeconfig /root/.kube/config-tesla get deploy -n demo
Error from server (Forbidden): deployments.extensions is forbidden: User "tesla" cannot list deployments.extensions in the namespace "demo"
Trying to list deployments using the admin config:
# kubectl get deploy -n demo
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wordpress 1 1 1 1 13d
wordpress-mysql 1 1 1 1 13d
Trying to list pods using user config:
# kubectl --kubeconfig /root/.kube/config-tesla get po -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
Trying to list pods using admin config:
# kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
954
You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .
Go to Dashboard > Applications > APIs and click the name of the API to view. Scroll to RBAC Settings and enable the Enable RBAC toggle. To include all permissions assigned to the user in the permissions claim of the access token, enable the Add Permissions in the Access Token toggle, and click Save.
RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.
replicasets and deployments exist in the "extensions" and "apps" API groups, not in the legacy "" group
try:
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
