K
Q

GKE MasterAuth clientCertificate has no permissions to access cluster resource

11/21/2019

I created GKE cluster using GKE API. Below is the payload and end point I used.

API: https://container.googleapis.com/v1/{parent=projects//locations/}/clusters

Method: POST

RequestBody:

{ "cluster": { "name": "test", "masterAuth": { "clientCertificateConfig": { "issueClientCertificate": true } }.... } ...... ..... }

NOTE: I'am creating GKE cluster with masterAuth enabled by setting clientCertificate to true. After cluster creation, I created the kubeconfig in my local machine using the clusterCaCertificate, clientCertificate and clientKey information from the GKE API ie., by describing the cluster.

  • Then I listed the nodes using 'kubectl get nodes' command and the response was

Error from server (Forbidden): nodes is forbidden: User "client" cannot list resource "nodes" in API group "" at the cluster scope

The clusterCaCertificate information provided by the GKE describe APIs has the CN="client" but it should have been "admin". clusterCaCertificate is generated by Google and as a developer I could not find a way of setting the CN. I cannot even access the cluster so cannot perform any roleBinding or similar for user 'client'. Any idea how this can be resolved ?

-- Anumantha Raja
google-api
google-kubernetes-engine

Similar Questions

Correctly override "settings.xml" in Jenkinsfile Maven build on kubernetes?
google kubernetes engine binary authorization - remote attestation?
Scraping SpringBoot actuator/prometheus metrics endpoint in an Istio environment
Why Filebeat doesn't log my Spring Boot application in kubernetes

1 Answer

11/21/2019

Take a look here for a workaround and how GKE Engineering team is working on this. I took this from the GitHub report:

So per recommendation, I did post on the kubernetes engine bug tracker and it became this private issue:

https://issuetracker.google.com/u/1/issues/111101728, feel free to reference it, which is equivalent to kubernetes/kubernetes#65400.

In a nutshell, the client cert has CN=client encoded and client user doesn't have any permissions. If you use masterAuth username/password (basic auth), then you can apply the yaml.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: client-binding
subjects:
- kind: User
  name: client
roleRef:
  kind: ClusterRole
  name: "cluster-admin"
  apiGroup: rbac.authorization.k8s.io

Which will give the user on the cert admin permissions. Additionally, to remove basic auth you can set the username="" in the api, but this will cause a reboot which will take 5 more minutes to do a master switch.

-- Luis Javier Alvarez Rodriguez
Source: StackOverflow