Reputation: 666
User access using kubectl
I want to set multiple accounts to only have access only to owned namespace, we try with authorization mode ABAC but we get when use kubectl "error: couldn't read version from server: the server does not allow access to the requested ressource" and it seems to be a bug. Is theire other way to do it ?
Upvotes: 3
Views: 973
Answers (1)
Reputation: 5662
Before attempting to access your resources, kubectl first makes requests to the server's /version and /api endpoints to confirm compatibility and negotiate API version. In ABAC, the /version and /api endpoints are considered "nonResourcePaths", but those also require authorization. You can add a rule to your ABAC file allowing all users readonly access to nonResourcePaths as follows:
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*", "nonResourcePath": "*", "readonly": true}}
From there, you can make it more restrictive if you need to.
Upvotes: 3
Related Questions
- kubectl apply vs kubectl create?
- kubectl logs - continuously
- Accessing k8s cluster with service account token
- Service located in another namespace
- Cannot connect to Kubernetes Dashboard as non-admin user with kubectl proxy
- kubectl get all returns lots of forbidden error using rancher permission
- Kubernetes ABAC mode not working
- Using kubectl with Kubernetes authorization mode ABAC
- Kubectl configuration in gcloud