1 year ago

#360031

test-img

Coding_Cat

In Kubernetes new users have all permissions to do anything although they are not assigned any Roles or ClusterRoles

RBAC is enabled (checked with kubectl api-versions, and got rbac records in the output). So as I assume, the normal users that are not bound with any Roles and ClusterRoles should have the most limited access to the cluster. I create the certificates and add these new users with signed certificates to kubernetes as in the tutorial (https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user).

But my new users have full access to the cluster, they can list, update etc. all the resources (also double checked manually, and run the command kubectl auth can-i '' '' and it returned yes).

I have seen the similar post (New Kubernetes service account appears to have cluster admin permissions), but it was about serviceaccounts and eventually their problem was that they had some ClusterRoleBinding that bound some overly permissive role to all their new users. But in our case I couldn't find such a binding.

I checked whether they are added to some kind of a service group or are assigned cluster-admin role, but it doesn't seem to be the reason, because I cannot even see cluster-admin role when listing all the cluster roles with kubectl get clusterroles. Please, let me know if anything like this has ever happened to you or if you have any ideas what else I should check/configure to have all the new users with the least possible permissions, to be able to just add some granular roles to them.


UPDATE (output of the commands):

1)openssl req -in mike.csr -text | grep -i subject Output:

Subject: CN = mike, O = trial
Subject Public Key Info:

2)kubectl get clusterrolebindings -o wide | grep mike\|trial (also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string)) Output: empty

3)kubectl get rolebindings -o wide | grep mike\|trial (also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string) Output: empty

4)kubectl whoami Output: mike

5)kubectl auth can-i '*' '*' Output: yes

6)kubectl auth can-i create pods Output: yes

kubernetes

kubernetes-apiserver

kubeconfig

kubernetes-rbac

0 Answers

Your Answer

Accepted video resources