K
Q

Question

Kubernetes RBAC: can't get cronjob even though user seems to have the needed permissons

2/6/2020

Greetings fellow tinkerers !

What is my issue ?

In a nutshell, user toto can't "get" a cronjob, even though the permissions seem fine. More precisely:


gt; kubectl get cronjob/test -n my_namespace
Error from server (Forbidden): cronjobs.batch "test" is forbidden: User "toto" cannot get resource "cronjobs" in API group "batch" in the namespace "my_namespace"
gt; kubectl auth can-i get cronjob/test -n my_namespace
no

even tough:


gt; kubectl auth can-i get cronjobs -n my_namespace
yes
gt; kubectl auth can-i --list -n my_namespace
Resources      Non-Resource URLs  Resource Names   Verbs
...
cronjobs.batch []                 []               [get list watch list watch get]
...
gt; kubectl get cronjobs -n my_namespace
NAME     SCHEDULE     ...   AGE
test     */5 * * * *        2d21h

Please also note that the command works fine when executed by an admin-level user (from group system:masters), or if I add toto to the group system:masters.

What have I tried ?

I added full-permissions to all resources in all namespaces, to a group toto belongs to (let's call it my_group). The fact that it didn't work even then makes me think that my issue might not be caused by permissions but by another k8s mechanism.

Additional informations

As requested here are some additional informations:

gt; kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T23:41:55Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.9-eks-c0eccc", GitCommit:"c0eccca51d7500bb03b2f163dd8d534ffeb2f7a2", GitTreeState:"clean", BuildDate:"2019-12-22T23:14:11Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

The cluster is hosted on AWS using the EKS service, therefore:

contexts have users dynamically authenticated using the aws-iam-authenticator binary
as the EKS doc mentions, we add users to groups in the aws-auth ConfigMap
then we define some clusterroles + rolebindings, targeting those aforementioned groups.

Which for those 2 latter points, translates to the following yaml files:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  ...
  mapUsers: |
    ...
    - userarn: arn:aws:iam::xxxxxxxxxxxx:user/toto
      username: toto
      groups:
        - system:basic-user
        - my_group
    ...

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my_role
rules:
  ...
  - apiGroups: ["batch"]
    resources: ["cronjobs"]
    resourceNames: [""]
    verbs: ["list", "watch", "get"]
  ...

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my_rolebinding
  namespace: my_namespace
subjects:
  - kind: Group
    name: my_group
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: my_role
  apiGroup: rbac.authorization.k8s.io

-- Yzzanrf

amazon-web-services

kubernetes

rbac

2 Answers

2/11/2020

OK. So got it. The issue is the parameter resourceNames. When you specify this parameter, you need to also specify what specific resource name you mean.

Example:

If you create thisRole...

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my_role
  namespace: toto
rules:
  - apiGroups: ["", "batch"]
    resources: ["cronjobs"]
    resourceNames: [""]
    verbs: ["list", "watch", "get"]

...and get cronjobs, you will get them, but you won't get a specific cronJob by name.

# kubectl -n toto --context toto-context get cronjobs
NAME          SCHEDULE      SUSPEND   ACTIVE   LAST SCHEDULE   AGE
cronjob-pod   */1 * * * *   False     0        4d21h           4d21h
# kubectl -n toto --context toto-context get cronjob cronjob-pod
Error from server (Forbidden): cronjobs.batch "cronjob-pod" is forbidden: User "toto" cannot get resource "cronjobs" in API group "batch" in the namespace "toto"

But if you remove the parameter resourceNames, or write the resource name you want to get, it will work. So the following Role would work:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my_role
  namespace: toto
rules:
  - apiGroups: ["", "batch"]
    resources: ["cronjobs"]
    verbs: ["list", "watch", "get"]

# kubectl -n toto --context toto-context get cronjob cronjob-pod
NAME          SCHEDULE      SUSPEND   ACTIVE   LAST SCHEDULE   AGE
cronjob-pod   */1 * * * *   False     0        4d21h           4d21h

Also, in my case, this one would work:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my_role
  namespace: toto
rules:
  - apiGroups: ["", "batch"]
    resources: ["cronjobs"]
    resourceNames: ["cronjob-pod"]          <- specify the resource name
    verbs: ["list", "watch", "get"]

Note: resourceNames: ["*"] won't work.

-- suren

Source: StackOverflow

2/6/2020

If I'm not mistaken, the API group is batch and resource is cronjobs not cronjobs.batch.

Kubernetes cluster-roles.yaml and docs for Kubernetes API cronjob.

yaml role should look like the following:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: my_namespace
  name: toto
rules:
- apiGroups: ["", "batch"]
  resources: ["cronjobs"]
  verbs: ["get", "list", "watch", "list", "watch"]

-- Crou

Source: StackOverflow

KQ

Kubernetes RBAC: can't get cronjob even though user seems to have the needed permissons

Similar Questions

2 Answers

K
Q