Query/test if K8S API request is authorized before executing

4/26/2019

Background

Consider a set of HTTP GET and PUT requests that I would like to issue to the K8S REST API. I know that the currently running pod (i.e. assume a single pod in the cluster for one-off testing/debugging/etc.) has the appropriate credentials (i.e. associated with the service account) to execute these calls successfully.

I would like to modify my requests so that they use a different service account to execute the request (i.e. modify the user field of the request). However, there's no guarantee the user is permitted to make all of these requests, and some could be destructive, so it's ideal that one of the two scenarios occur:

  • None of the requests are executed.
  • 100% of the requests are executed.

By having just some of the requests succeed, it can put a system into an indeterminate state.


Question

Is there an API/feature in K8S where I can pre-determine if a specific API request, on the behalf of a specific user/service-account, will be permitted to execute?

-- Cloud
kubernetes
rest

1 Answer

4/26/2019
$ kubectl -v 10 --as system:serviceaccount:default:jenkins auth can-i create pod
...
I0426 20:27:33.008777    4149 request.go:942] Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":false}}
I0426 20:27:33.008875    4149 round_trippers.go:419] curl -k -v -XPOST  -H "Impersonate-User: system:serviceaccount:default:jenkins" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.0 (darwin/amd64) kubernetes/641856d" 'https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0426 20:27:34.935506    4149 round_trippers.go:438] POST https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 1926 milliseconds
I0426 20:27:34.935550    4149 round_trippers.go:444] Response Headers:
I0426 20:27:34.935564    4149 round_trippers.go:447]     Audit-Id: 631abed7-b27b-4eca-b267-4d7db0f1aa21
I0426 20:27:34.935576    4149 round_trippers.go:447]     Content-Type: application/json
I0426 20:27:34.935588    4149 round_trippers.go:447]     Date: Fri, 26 Apr 2019 14:57:34 GMT
I0426 20:27:34.935599    4149 round_trippers.go:447]     Content-Length: 378
I0426 20:27:34.935724    4149 request.go:942] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"jenkins-ns-default/default\" of Role \"jenkins-ns-default\" to User \"system:serviceaccount:default:jenkins\""}}
yes

You can view detailed description of SubjectAccessReview API here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#subjectaccessreview-v1-authorization

Read more here: https://kubernetes.io/docs/reference/access-authn-authz/authorization/

-- Vasily Angapov
Source: StackOverflow