Why can I not remove my permissions on kubeadm?

3/7/2019

I created a one master, one worker kubeadm cluster using all the default settings (except changing the kubernetes version to 1.13.4). In particular, only Node and RBAC authorisation are enabled and I am using the default admin credentials to access the cluster which authenticates me as user kubernetes-admin and group system:masters (which is bound to the cluster-admin clusterrole) with a client certificate.

I then deleted the cluster-admin clusterrole, but I still have full access including listing pods for example. Why is this? I noticed that the cluster-admin clusterrole does come back after a period of time, but in the interim I would expect my permissions to not be there.

kubeadm version:

kubeadm version: &version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:35:32Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}

kubernetes version: 1.13.4

-- dippynark
kubeadm
kubernetes

1 Answer

3/8/2019

The system:masters group (which was set as an organisation on my client certificate) can bypass RBAC checks: https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/rbac/escalation_check.go#L38-L44

-- dippynark
Source: StackOverflow