K8s Forbidden Attempt to Grant Extra Privileges

1/29/2019

Not being able to create a ClusterRole using K8s REST APIs. I receive "forbidden: attempt to grant extra privileges" error. Even though can create same ClusterRole using 'kubectl apply'. Using same user. Running in GCP. Version: '1.11.6-gke.3'.

Here are my steps:

1. IAM Config

IAM User: berlioz-robot@xxx.iam.gserviceaccount.com Role: Kubernetes Engine Admin

2. Make the user admin

apply using kubectl:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: berlioz:robot-cluster-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: berlioz-robot@xxx.iam.gserviceaccount.com

3. Generate Login Token

Header:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Payload:

{
  "iss": "berlioz-robot@xxx.iam.gserviceaccount.com",
  "sub": "berlioz-robot@xxx.iam.gserviceaccount.com",
  "aud": "https://www.googleapis.com/oauth2/v4/token",
  "scope": "https://www.googleapis.com/auth/cloud-platform",
  "iat": 1548743213,
  "exp": 1548746813
}

4. Login

URL: https://www.googleapis.com/oauth2/v4/token
Method: POST
Body: {
    'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
    'assertion': here-goes-the-signed-token
}

Result:

{
    "access_token": "ya29.xxxxxxxxxxxxxxxx",
    "expires_in": 3600,
    "token_type": "Bearer"
}

5. Create new ClusterRole with REST APIs

URL: https://CLUSTER-IP-ADDRESS/apis/rbac.authorization.k8s.io/v1/clusterroles
Method: POST
Headers: {
    Authorization: "Bearer ya29.xxxxxxxxxxxxxxxx",
    Content-Type: "application/json"
}
Body: {
    "metadata": {
      "name": "berlioz:controller-cluster-role"
    },
    "rules": [
      {
        "verbs": [
          "get",
          "list",
          "watch"
        ],
        "apiGroups": [
          ""
        ],
        "resources": [
          "nodes"
        ]
      }
    ],
    "kind": "ClusterRole",
    "apiVersion": "rbac.authorization.k8s.io/v1"
}

RESULT:

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "clusterroles.rbac.authorization.k8s.io \"berlioz:controller-cluster-role-test\" is forbidden: attempt to grant extra privileges: [{[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{110887992956644566571  [system:authenticated] map[user-assertion.cloud.google.com:[xxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]",
    "reason": "Forbidden",
    "details": {
        "name": "berlioz:controller-cluster-role-test",
        "group": "rbac.authorization.k8s.io",
        "kind": "clusterroles"
    },
    "code": 403
}

Interestingly, if I set list of rules empty, things go through. As mentioned above, same cluster role is getting created using kubectl successfully.

-- rubenhak
kubernetes
rbac
rest

1 Answer

7/5/2019

According to Google cloud RBAC documentation:

In GKE, Cloud IAM and Kubernetes RBAC are integrated to authorize users to perform actions if they have sufficient permissions according to either tool. This is an important part of bootstrapping a GKE cluster, since by default GCP users do not have any Kubernetes RBAC RoleBindings.

Once users or GCP service accounts are authenticated, they must also be authorized to perform any action on a GKE cluster.

In GKE clusters using GKE v1.11.x and older, there is a limitation that Cloud IAM cannot grant the ability to create a Kubernetes RBAC Role or ClusterRole. However, the Kubernetes Engine Admin Cloud IAM role does grant users with the ability to create a Kubernetes RBAC RoleBinding or ClusterRoleBinding for any user, including themselves, which can be used to bind GCP users to predefined RBAC Roles.

In particular, the cluster-admin predefined RBAC role grants users full permissions in the cluster. Therefore, to bootstrap a user to allow them to create RBAC Roles and ClusterRoles, issue the following command, replacing [USER_ACCOUNT] with the target user's GCP login email address.

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user [USER_ACCOUNT]

Note: The [USER_ACCOUNT] is case sensitive. To avoid errors, enter the target user's email address in lowercase.

Alternatively you can use the following yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: username@google-account-domain.com

After creating such ClusterRoleBinding you'll be able to create ClusterRole.

-- VAS
Source: StackOverflow