K
Q

Kubernetes ABAC mode not working

2/20/2017

I found a few people that tried to tackle this, only slightly relevant posts here and here but doesn't solve it for me.

The problem: I want to create a read-only user for my cluster using ABAC policy. My cluster has 3 masters and 3 workers, version 1.4.7 hosted on AWS.

I edited my manifests/apiserver.yml like so on all 3 masters (added these 3 lines - at the bottom of the file of course I mounted the relevant paths etc..):

  • --token-auth-file=/etc/kubernetes/policy/user-tokens.csv
  • --authorization-mode=ABAC
  • --authorization-policy-file=/etc/kubernetes/policy/apiusers.yml

my apiuser.yml looks like this:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group": "system:authenticated", "readonly": true, "nonResourcePath": "*", "namespace": "*", "resource": "*", "apiGroup": "*"}}

My users-token.csv looks like this:

tdU0ynyO3wG6UAzwWP0DO7wvF2tH8pbH,bob,bob

My kubeconfig file has this in it:

users:
- name: bob
  user:
    token: tdU0ynyO3wG6UAzwWP0DO7wvF2tH8pbH

When I try kubectl get nodes it's failing, I can print the output with --v=8 if it's relevant but it basically says Forbidden(403). It seems to me, I'm missing something fundamental here, the policy is in place and blocking everything and everyone, though it should allow authenticated users read only rights.

Any kind of help or suggestions would be most appreciated.

-- Naim Salameh
abac
kubernetes

Similar Questions

Get visitors real IP in PHP app running behind Kubernetes LoadBalancer service in GCE
Why do Kubernetes worker nodes become NodeNotReady?
Minikube install in Ubuntu - Something went wrong running an SSH command
Can not access Cluster Ip with same Node

1 Answer

2/20/2017

the system:authenticated group was added in 1.5

prior to 1.5, you can use "user":"*"

-- Jordan Liggitt
Source: StackOverflow