Using kubectl with Kubernetes authorization mode ABAC

Question

I sent up a 4 node cluster (1 master 3 workers) running Kubernetes on Ubuntu. I turned on --authorization-mode=ABAC and set up a policy file with an entry like the following

{"user":"bob", "readonly": true, "namespace": "projectgino"}

I want user bob to only be able to look at resources in projectgino. I'm having problems using kubectl command line as user Bob. When I run the following command

kubectl get pods --token=xxx --namespace=projectgino --server=https://xxx.xxx.xxx.xx:6443

I get the following error

error: couldn't read version from server: the server does not allow access to the requested resource

I traced the kubectl command line code and the problem seems to caused by kubectl calling function NegotiateVersion in pkg/client/helper.go. This makes a call to /api on the server to get the version of Kubernetes. This call fails because the rest path doesn't contain namespace projectgino. I added trace code to pkg/auth/authorizer/abac/abac.go and it fails on the namespace check.

I haven't moved up the the latest 1.1.1 version of Kubernetes yet, but looking at the code I didn't see anything that has changed in this area.

Does anybody know how to configure Kubernetes to get around the problem?

Answer 1

This is missing functionality in the ABAC authorizer. The fix is in progress: #16148.

As for a workaround, from the authorization doc:

For miscellaneous endpoints, like /version, the resource is the empty string.

So you may be able to solve by defining a policy:

{"user":"bob", "readonly": true, "resource": ""}

(note the empty string for resource) to grant access to unversioned endpoints. If that doesn't work I don't think there's a clean workaround that will let you use kubectl with --authorization-mode=ABAC.