1 year ago
#360031
Coding_Cat
In Kubernetes new users have all permissions to do anything although they are not assigned any Roles or ClusterRoles
RBAC is enabled (checked with kubectl api-versions, and got rbac records in the output). So as I assume, the normal users that are not bound with any Roles and ClusterRoles should have the most limited access to the cluster. I create the certificates and add these new users with signed certificates to kubernetes as in the tutorial (https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user).
But my new users have full access to the cluster, they can list, update etc. all the resources (also double checked manually, and run the command kubectl auth can-i '' '' and it returned yes).
I have seen the similar post (New Kubernetes service account appears to have cluster admin permissions), but it was about serviceaccounts and eventually their problem was that they had some ClusterRoleBinding that bound some overly permissive role to all their new users. But in our case I couldn't find such a binding.
I checked whether they are added to some kind of a service group or are assigned cluster-admin role, but it doesn't seem to be the reason, because I cannot even see cluster-admin role when listing all the cluster roles with kubectl get clusterroles. Please, let me know if anything like this has ever happened to you or if you have any ideas what else I should check/configure to have all the new users with the least possible permissions, to be able to just add some granular roles to them.
UPDATE (output of the commands):
1)openssl req -in mike.csr -text | grep -i subject
Output:
Subject: CN = mike, O = trial
Subject Public Key Info:
2)kubectl get clusterrolebindings -o wide | grep mike\|trial
(also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string))
Output: empty
3)kubectl get rolebindings -o wide | grep mike\|trial
(also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string)
Output: empty
4)kubectl whoami
Output: mike
5)kubectl auth can-i '*' '*'
Output: yes
6)kubectl auth can-i create pods
Output: yes
kubernetes
kubernetes-apiserver
kubeconfig
kubernetes-rbac
0 Answers
Your Answer