github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/apis/rbac
History
k8s-merge-robot 8043baf12d Merge pull request #29071 from albatross0/fix_rbac_for_serviceaccounts 
Automatic merge from submit-queue

Fix RBAC authorizer of ServiceAccount

RBAC authorizer assigns a role to a wrong service account.

How to reproduce

1.Create role and rolebinding to allow default user in kube-system namespace to read secrets in kube-system namespace.

```
# kubectl create -f role.yaml
# kubectl create -f binding.yaml
```

```yaml
# role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: secret-reader
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
    nonResourceURLs: []
```

```yaml
# binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: read-secrets
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: Role
  namespace: kube-system
  name: secret-reader
  apiVersion: rbac.authorization.k8s.io/v1alpha1
```

2.Set a credential of default user

```
$ kubectl config set-credentials default_user --token=<token_of_system:serviceaccount:kube-system:default>
$ kubectl config set-context default_user-context --cluster=test-cluster --user=default_user
$ kubectl config use-context default_user-context
```

3.Try to get secrets as default user in kube-system namespace

```
$ kubectl --namespace=kube-system get secrets
the server does not allow access to the requested resource (get secrets)
```

As shown above, default user could not access to secrets.
But if I have kube-system user in default namespace, it is allowed access to secrets.


4.Create a service account and try to get secrets as kube-system user in default namespace

```
# kubectl --namespace=default create serviceaccount kube-system
serviceaccount "kube-system" created
$ kubectl config set-credentials kube-system_user --token=<token_of_system:serviceaccount:default:kube-system>
$ kubectl config set-context kube-system_user-context --cluster=test-cluster --user=kube-system_user
$ kubectl config use-context kube-system_user-context
$ kubectl --namespace=kube-system get secrets
NAME                  TYPE                                  DATA      AGE
default-token-8pyb3   kubernetes.io/service-account-token   3         4d

```
 		2016-07-20 11:51:42 -07:00
..
install Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
v1alpha1 Merge pull request #29042 from dims/fixup-imports 2016-07-18 07:23:38 -07:00
validation Fix RBAC authorizer of ServiceAccount 2016-07-21 01:50:08 +09:00
doc.go Use Go canonical import paths 2016-07-16 13:48:21 -04:00
register.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
types.go Make multi-key tags more explicit 2016-07-07 16:49:46 -07:00
zz_generated.deepcopy.go Commit generated files 2016-07-15 10:27:51 -07:00