RBAC not working as expected when trying to lock namespace

11/19/2018

I'm trying to lock down a namespace in kubernetes using RBAC so I followed this tutorial.
I'm working on a baremetal cluster (no minikube, no cloud provider) and installed kubernetes using Ansible.

I created the folowing namespace :

apiVersion: v1
kind: Namespace
metadata:
  name: lockdown

Service account :

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-lockdown
  namespace: lockdown

Role :

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lockdown
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: [""]
  verbs: [""]

RoleBinding :

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rb-lockdown
subjects:
- kind: ServiceAccount
  name: sa-lockdown
roleRef:
  kind: Role
  name: lockdown
  apiGroup: rbac.authorization.k8s.io

And finally I tested the authorization using the next command

kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown

This SHOULD be returning "No" but I got "Yes" :-(

What am I doing wrong ?
Thx

-- Doctor
kubectl
kubernetes
rbac
roles

2 Answers

11/22/2018

I finally found what was the problem.

The role and rolebinding must be created inside the targeted namespace.

I changed the following role and rolebinding types by specifying the namespace inside the yaml directly.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lockdown
  namespace: lockdown
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rb-lockdown
  namespace: lockdown
subjects:
- kind: ServiceAccount
  name: sa-lockdown
roleRef:
  kind: Role
  name: lockdown
  apiGroup: rbac.authorization.k8s.io

In this example I gave permission to the user sa-lockdown to get, watch and list the pods in the namespace lockdown.


Now if I ask to get the pods : kubectl auth can-i get pods --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return yes.

On the contrary if ask to get the deployments : kubectl auth can-i get deployments --namespace lockdown --as system:serviceaccount:lockdown:sa-lockdown it will return no.


You can also leave the files like they were in the question and simply create them using kubectl create -f <file> -n lockdown.

-- Doctor
Source: StackOverflow

11/20/2018

A couple possibilities:

  1. are you running the "can-i" check against the secured port or unsecured port (add --v=6 to see). Requests made against the unsecured (non-https) port are always authorized.
  2. RBAC is additive, so if there is an existing clusterrolebinding or rolebinding granting "get pods" permissions to that service account (or one of the groups system:serviceaccounts:lockdown, system:serviceaccounts, or system:authenticated), then that service account will have that permission. You cannot "ungrant" permissions by binding more restrictive roles
-- Jordan Liggitt
Source: StackOverflow