I'm running a gke 1.8.4 cluster, and seeing an issue with requests to access resources being permitted, even though RBAC is denying them
from logs/kube-apiserver.log (I've replaced my username and the username I'm impersonating, in <italics>):
I1218 13:30:38.644205 5 httplog.go:64] &{<my_user> [system:authenticated] map[]} is acting as &{<other_user> [system:authenticated] map[]}
I1218 13:30:38.644297 5 rbac.go:116] RBAC DENY: user "<other_user>" groups ["system:authenticated"] cannot "list" resource "secrets" in namespace "prod"
I1218 13:30:38.676079 5 wrap.go:42] GET /api/v1/namespaces/prod/secrets: (32.043196ms) 200 [[kubectl/v1.8.4 (linux/amd64) kubernetes/9befc2b]
Why is the api proceeding to the GET after the RBAC DENY (and ultimately returning the secrets in response to my kubectl cmd)?
fwiw my kubectl cmd is: kubectl get secrets --namespace prod --as <other_user>
I suspect there's another authorizer that's allowing it, though I've done everything I know of to ensure there isn't (ABAC should be disabled, as I'm on 1.8, the google cloud console shows it as being disabled, and I'm seeing "legacyAbac: {}" in the response from gcloud beta container clusters describe)
GKE enables both the RBAC authorizer and a webhook authorizer that consults GKE IAM. Does the specified username have permissions via GKE?