Reputation: 23187
Kubernetes RBAC: permissions mismatching
I'm facing with next issue. I'm requesting to kubernetes whether I'm able to make some operation:
$ kubectl auth can-i list secrets --namespace iotdevadm
no - no RBAC policy matched
Above, I'm asking for listing secrets. According to response, I'm not able to do that.
However:
$ kubectl get secrets
NAME TYPE DATA AGE
builder-dockercfg-9m9rf kubernetes.io/dockercfg 1 23h
builder-token-6xxdn kubernetes.io/service-account-token 4 23h
builder-token-qc7q7 kubernetes.io/service-account-token 4 23h
default-dockercfg-qs7sj kubernetes.io/dockercfg 1 23h
default-token-n4lpw kubernetes.io/service-account-token 4 23h
default-token-n7rhh kubernetes.io/service-account-token 4 23h
deployer-dockercfg-nhnps kubernetes.io/dockercfg 1 23h
deployer-token-5rkb6 kubernetes.io/service-account-token 4 23h
deployer-token-v85wp kubernetes.io/service-account-token 4 23h
istio.builder istio.io/key-and-cert 3 23h
istio.default istio.io/key-and-cert 3 23h
istio.deployer istio.io/key-and-cert 3 23h
istio.kafka istio.io/key-and-cert 3 16h
istio.zeppelin istio.io/key-and-cert 3 18h
kafka-dockercfg-whltw kubernetes.io/dockercfg 1 16h
kafka-token-crrxt kubernetes.io/service-account-token 4 16h
kafka-token-j5dgd kubernetes.io/service-account-token 4 16h
sh.helm.release.v1.kafka.v1 helm.sh/release.v1 1 16h
sh.helm.release.v1.spark.v1 helm.sh/release.v1 1 16h
sh.helm.release.v1.zeppelin.v1 helm.sh/release.v1 1 18h
sh.helm.release.v1.zookeeper.v1 helm.sh/release.v1 1 16h
spark-secret Opaque 0 16h
zeppelin-dockercfg-7zdkm kubernetes.io/dockercfg 1 18h
zeppelin-token-85jtc kubernetes.io/service-account-token 4 18h
zeppelin-token-x4r5c kubernetes.io/service-account-token 4 18h
Upvotes: 0
Views: 335
Answers (3)
Reputation: 49
Let's say we have namespace testns and service account testsa created in this namespace testns. If you try kubectl auth can-i ... as follows, you should have:
$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
no
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
Let's say now that you have a role allowing listing of pods but no rights specified for secrets on it. As soon as you bind this role with service account testsa in namespace testns, you should have something like this:
$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
yes
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
Upvotes: 0
Reputation: 44549
The commands that you are running are different- one has get and the other one has list.
kubectl get secrets
Above command will get secrets in the namespace configured in kubeconfig. I assume the namespace is iotdevadm in kubeconfig. If this is not the case then run below command.
kubectl get secrets -n iotdevadm
The equivalent command to check permission should be as below.
kubectl auth can-i get secrets --namespace iotdevadm
This command will check permission to get secrets for the user configured in kubeconfig in namespace iotdevadm.
Upvotes: 0
Reputation: 868
kubectl get secrets will list secrets from default namespace unless you have set a namespace context for the current cluster in your kubeconfig file.
kubectl get secrets -n iotdevadm to list secrets from iotdevadm namespace.
Upvotes: 2
Related Questions
- Kubernetes RBAC - forbidden attempt to grant extra privileges
- Scale kubernetes deployment within a pod - permission denied?
- Why do I have a Kubernetes api permission problem?
- RoleBinding not granting permissions
- RBAC permissions required for helm deployment
- Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
- RBAC roles required to solve cannot get path "/" for a user
- Kubernetes permission issue
- Kubernetes returns Forbidden even if RBAC permissions are set
- Kubernetes RBAC permissions - unknown 'clusterrole' flag when attempting to grant permissions?