GKE Kubernetes RBAC bind default role to my limited custom

3/3/2019

I'm using G I want to create a custom user that have only access to specific namespace, I used this yaml:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: develop-user
  namespace: develop

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: develop-user-full-access
  namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
  resources:
  - services
  verbs: ["get"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: develop-user-view
  namespace: develop
subjects:
- kind: ServiceAccount
  name: develop-user
  namespace: develop
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: develop-user-full-access

so I get a certificate and added to my kube config, after I switched context to this new service account and figured out that I still have access to everything :(
Why did it happen and how to fix?

my kubeconfig (pastebin copy: https://pastebin.com/s5Nd6Dnn):

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: %certificate-data%
    server: https://animeheaven.nyah
  name: anime-cluster-develop
contexts:
- context:
    cluster: anime-cluster-develop
    namespace: develop
    user: develop-user
  name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
  user:
    client-key-data: %certdata%
    token: %tokenkey%
-- animekun
google-kubernetes-engine
kubernetes
rbac

2 Answers

3/11/2019

https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28

these two articles helped me finally! I almost felt into depression because of this stupid stuff, thanks to uptime-99 and ManagedKube I did it! yay!

the key is to create kubernetes-viewer user in gcloud and then create a role for him here is a hint!

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: develop
  name: allow-developer-port-forward
rules:
- apiGroups: [""]
  resources: ["pods", "pods/portforward"]
  verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: anime-developer-port-access
  namespace: develop
subjects:
- kind: User
  name: ANIMEDEVERLOP@gmail.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-developer-port-forward
  apiGroup: ""

then

kubectly apply -f accessconfig.yaml

thats it!
have a nice day!

-- animekun
Source: StackOverflow

3/4/2019

Here's a good article on how to set it up: https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html.

In general, your configuration is fine, what I changed is the line - apiGroups: rbac.authorization.k8s.io changed to:

- apiGroups: ["", "extensions", "apps"]

Then, applied the following steps:

  1. Create develop namespace
$ kubectl create namespace develop
  1. Create RBAC from your configuration.
$ kubectl apply -f rbac.yaml
  1. Read Cluster IP, Token, and CA Certificate.
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
  1. Fill the ~/.kube/config file (as described in the linked guide)
  2. Change the context to develop
  3. The user have access only to checking services in the develop namespace.
$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
-- RafaƂ Leszko
Source: StackOverflow