K
Q

How to enable RBAC on existing Kubernetes Cluster

2/28/2018

In this documentation of Kubernetes is says:

To enable RBAC, start the apiserver with --authorization-mode=RBAC

How do you upgrade an existing cluster and/or how to see if RBAC is enabled?

I have created my cluster on Google k8 clusters and only have kubectl.

I have seen this but it kind of did not help.

-- Chris G.
google-kubernetes-engine
kubernetes

Similar Questions

k8s gce1.8.7 - pods is forbidden - Unknown user system:serviceaccount:default:default
Azure Kubernetes (AKS) does not release public IPs
Is it possible to do server sent events with google cloud endpoints and kubernetes?
Unable to install remote charts using virtual helm repo in Jfrog Artifactory

2 Answers

2/28/2018

Could you SSH to the master node/nodes and edit /etc/kubernetes/manifests/kube-apiserver.yaml

You should see something like below in the file >

command:
    - "/hyperkube"
    - "apiserver"
    - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
    - "--address=0.0.0.0"
    - "--allow-privileged"
    - "--insecure-port=8080"
    - "--secure-port=443"
    - "--cloud-provider=azure"
    - "--cloud-config=/etc/kubernetes/azure.json"
    - "--service-cluster-ip-range=10.0.0.0/16"
    - "--etcd-servers=http://127.0.0.1:2379"
    - "--etcd-quorum-read=true"
    - "--advertise-address=10.240.255.15"
    - "--tls-cert-file=/etc/kubernetes/certs/apiserver.crt"
    - "--tls-private-key-file=/etc/kubernetes/certs/apiserver.key"
    - "--client-ca-file=/etc/kubernetes/certs/ca.crt"
    - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
    - "--storage-backend=etcd2"
    - "--v=4"

Just add --authorization-mode=RBAC and reboot the node and it should work.

Something like

command:
        - "/hyperkube"
        - "apiserver"
        - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
        - "--address=0.0.0.0"
        - "--allow-privileged"
        - "--insecure-port=8080"
        - "--secure-port=443"
        - "--cloud-provider=azure"
        - "--cloud-config=/etc/kubernetes/azure.json"
        - "--service-cluster-ip-range=10.0.0.0/16"
        - "--etcd-servers=http://127.0.0.1:2379"
        - "--etcd-quorum-read=true"
        - "--advertise-address=10.240.255.15"
        - "--tls-cert-file=/etc/kubernetes/certs/apiserver.crt"
        - "--tls-private-key-file=/etc/kubernetes/certs/apiserver.key"
        - "--client-ca-file=/etc/kubernetes/certs/ca.crt"
        - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
        - "--storage-backend=etcd2"
        - "--v=4"
        - "--authorization-mode=RBAC"

Note that is this surely not official way but it did work for me running Kubernetes 1.8

-- Kimmo Hintikka
Source: StackOverflow
2/28/2018

The Google public documentation addresses how to use RBAC on Google Kubernetes Engine Clusters. For GKE Clusters running 1.6 or 1.7, you must create or update your cluster with the --no-enable-legacy-authorization flag. For version 1.8 or later, legacy authorization is disabled by default.

You can update your cluster using gcloud container clusters update [CLUSTER_NAME] --no-enable-legacy-authorization.

The RBAC API is already enabled with GKE (rbac.authorization.k8s.io), so you can start creating objects.

-- Patrick W
Source: StackOverflow