Reputation: 532
How to change K8S default service account permissions?
My team recently found out that the default service account, managed by K8S and associated by default to pods, had full read and write permissions in the cluster. We could list secrets from the running pods, create new pods....
We found this strange, as we thought the default service account had no permissions whatsoever or even just read permissions. So we decided to search through the cluster for role bindings or cluster role bindings associated with that service account, but we could find none.
In a K8S cluster, doesn't the default service account have a basic role binding associated with it? Why don't we have any? And if we don't have any, why does the service account have full permissions on the cluster, instead of none at all? Lastly, how can we modify it so it has no permissions in the cluster?
Just to make it clear: we have multiple namespaces in our cluster, each one having its own default service account. However, none of them have any role bindings associated with them and they all have full cluster permissions.
Upvotes: 0
Views: 1851
Answers (2)
Reputation: 532
Apparently, by default, kops sets up clusters with the K8S API server authorization mode set to AlwaysAllow, meaning any request, as long as it is successfully authenticated, has global admin permissions.
In order to fix this, we had to change the authorization mode to RBAC and manually tweak the permissions.
Thank you to @ArthurBusser for pointing it out!
Upvotes: 1
Reputation:
You just have to look through your RoleBindings/ClusterRoleBindings. Probably there's a default SA somewhere.
Unfortunately there is no built in solution to search for ClusterRoles of a user, but you can use below script
function getRoles() {
local kind="${1}"
local name="${2}"
local namespace="${3:-}"
kubectl get clusterrolebinding -o json | jq -r "
.items[]
|
select(
.subjects[]?
|
select(
.kind == \"${kind}\"
and
.name == \"${name}\"
and
(if .namespace then .namespace else \"\" end) == \"${namespace}\"
)
)
|
(.roleRef.kind + \"/\" + .roleRef.name)
"
}
$ getRoles Group system:authenticated
ClusterRole/system:basic-user
ClusterRole/system:discovery
$ getRoles ServiceAccount attachdetach-controller kube-system
ClusterRole/system:controller:attachdetach-controller
Upvotes: 0
Related Questions
- Kubernetes namespace default service account
- Default ServiceAccount k8s
- How to view the permissions/roles associated with a specific service account in k8s?
- kubernetes service account permissions
- How to assign RBAC permissions to system:anonymous service account in Kubernetes?
- How to create a service account with no permissions in Kubernetes?
- Restricted Kubernetes Service account
- how can i assign permission to service account in azure kubernetes cluster( RBAC is enabled )?
- Granting a Kubernetes Service Account permissions for Secrets?
- What default permissions does default service account have?