Consider a set of HTTP GET
and PUT
requests that I would like to issue to the K8S REST API. I know that the currently running pod (i.e. assume a single pod in the cluster for one-off testing/debugging/etc.) has the appropriate credentials (i.e. associated with the service account) to execute these calls successfully.
I would like to modify my requests so that they use a different service account to execute the request (i.e. modify the user
field of the request). However, there's no guarantee the user is permitted to make all of these requests, and some could be destructive, so it's ideal that one of the two scenarios occur:
By having just some of the requests succeed, it can put a system into an indeterminate state.
Is there an API/feature in K8S where I can pre-determine if a specific API request, on the behalf of a specific user/service-account, will be permitted to execute?
$ kubectl -v 10 --as system:serviceaccount:default:jenkins auth can-i create pod
...
I0426 20:27:33.008777 4149 request.go:942] Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":false}}
I0426 20:27:33.008875 4149 round_trippers.go:419] curl -k -v -XPOST -H "Impersonate-User: system:serviceaccount:default:jenkins" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.0 (darwin/amd64) kubernetes/641856d" 'https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0426 20:27:34.935506 4149 round_trippers.go:438] POST https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 1926 milliseconds
I0426 20:27:34.935550 4149 round_trippers.go:444] Response Headers:
I0426 20:27:34.935564 4149 round_trippers.go:447] Audit-Id: 631abed7-b27b-4eca-b267-4d7db0f1aa21
I0426 20:27:34.935576 4149 round_trippers.go:447] Content-Type: application/json
I0426 20:27:34.935588 4149 round_trippers.go:447] Date: Fri, 26 Apr 2019 14:57:34 GMT
I0426 20:27:34.935599 4149 round_trippers.go:447] Content-Length: 378
I0426 20:27:34.935724 4149 request.go:942] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"jenkins-ns-default/default\" of Role \"jenkins-ns-default\" to User \"system:serviceaccount:default:jenkins\""}}
yes
You can view detailed description of SubjectAccessReview API here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#subjectaccessreview-v1-authorization
Read more here: https://kubernetes.io/docs/reference/access-authn-authz/authorization/