I am trying to give service account permissions to run kubectl apply -f somerole.yaml
on an existing role.
I created a service account with the following permissions:
cat > ~/tmp/Role.yaml <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["replace", "patch", "get", "list", "create"]
EOF
kubectl create -f ~/tmp/Role.yaml
All the background permissions (RoleBinding, context) seems to be good because if I add pods
in the resources field I can use:kubectl get pods --context=myservice6-context
When I run:
kubectl apply -f malrole.yaml --context=$CONTEXT_NAME
I received:
Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]
More readable version:
Error from server (Forbidden):
error when creating "malrole.yaml":
roles.rbac.authorization.k8s.io "testrole" is forbidden:
attempt to grant extra privileges:
[
PolicyRule{
Resources:["pods"], APIGroups:["*"], Verbs:["get"]
}
]
user=&{
system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928
[system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]
}
ownerrules=[
PolicyRule{
Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"],
Verbs:["create"]
}
PolicyRule{
NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"],
Verbs:["get"]
}
PolicyRule{
Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]
}
]
ruleResolutionErrors=[]
malrole.yaml (the file I tried to apply):
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: testrole
rules:
- apiGroups: ["*"]
resources: ["pods"]
verbs: ["get"]
It writes:
An attemp to grant extra privileges...
Which is taken from this line in the code:
https://github.com/kubernetes/kubernetes/blob/4d9873556201f2766ccf6161f7beac5f76b8fd60/pkg/registry/rbac/validation/rule.go#L52
Not sure why.
According to the documentation:
ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
But I tried also give myself more permissions (see in the edit) and I still received this error.
EDIT:
even when I change the permissions to
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["*"]
I received:
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]}
to:
&{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false}
for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]
@liggitt told me that
Escalation prevention rejects attempts to create roles containing permissions you do not already possess
I found that in order to be able to apply roles I need to have the following permissions:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: $ROLE_NAME
rules:
- apiGroups: ["*"]
resources: ["roles", "pods"]
verbs: ["patch", "get", "list"]
I am not sure why pods
should be part of the resource when I am just applying a roles. But maybe the applying is using some system pod for that.
As it was mentioned in the above link:
To allow a user to create/update roles:
- Grant them a role that allows them to create/update Role or ClusterRole objects, as desired.
- Grant them roles containing the permissions you would want them to be able to set in a Role or ClusterRole. If they attempt to create or modify a Role or ClusterRole with permissions they themselves have not been granted, the API request will be forbidden.