CODEWITHSUNDEEP
kubernetesrbackubernetes-custom-resources
Jay
Jay

Reputation: 41

Restricted user in K8s need CRD's access

In my scenario user has access to four namespaces only, he will switch between namespaces using contexts below. How can I give him access to CRD's along with his exiting access to four namespaces.

CURRENT   NAME                      CLUSTER     AUTHINFO                       NAMESPACE
*         dev-crd-ns-user           dev         dev-crd-ns-user                dev-crd-ns
          dev-mon-fe-ns-user        dev         dev-mon-fe-ns-user             dev-mon-fe-ns
          dev-strimzi-operator-ns   dev         dev-strimzi-operator-ns-user   dev-strimzi-operator-ns
          dev-titan-ns-1            dev         dev-titan-ns-1-user            dev-titan-ns-1


hifi@101common:/root$ kubectl get secret
NAME                                     TYPE                                  DATA   AGE
default-token-mh7xq                      kubernetes.io/service-account-token   3      8d
dev-crd-ns-user-token-zd6xt   kubernetes.io/service-account-token   3      8d
exfo@cmme101common:/root$ kubectl get crd
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

Tried below two options. Option 2 is the recommendation but didn't work with either one.

Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the **cluster scope**

Option 1: Adding CRD to existing role

role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
  name: dev-ns-user-full-access
  namespace: dev-crd-ns
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - networking.k8s.io
  - apiextensions.k8s.io
  resources:
  - '*'
  - customresourcedefinitions
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'

role binding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  name: dev-crd-ns-user-view
  namespace: dev-crd-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-crd-ns-user-full-access
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns

Option 2 : Adding CRD as a new role to "dev-crd-ns" namespace

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io

Upvotes: 4

Views: 15005

Answers (2)

leland knight
leland knight

Reputation: 13

Make sure you aren't accidentally specifying a namespace. The service account being used can be specified within a namespace but otherwise customresourcedefinitions are not namespaced objects.

Note, if you create an instance of type crd, those may be namespaced.

$ k auth can-i get crd --as system:serviceaccount:<namespace>:<saname>
Warning: resource 'customresourcedefinitions' is not namespace scoped in group 'apiextensions.k8s.io'

yes

Upvotes: 0

Kamol Hasan
Kamol Hasan

Reputation: 13456

You need to create Role and RoleBinding for each service account like dev-crd-ns-user.

For dev-crd-ns-user:

  • Update the existing Role or create a new one:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

$ kubectl apply -f crd-admin-role.yaml
  • Update the existing RoleBinding with this new Role or create a new one:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io

$ kubectl apply -f crd-admin-role-binding.yaml

Now, the SA dev-crd-ns-user will have all the access to customresourcedefinitions.

Follow similar steps for the rest of the service accounts.

Upvotes: 4

Related Questions