I have an azure kubernetes cluster, setup with authentication and authorization set to "azure AD authentication with Kubernetes Rbac".
I expect to be able to use both AAD to authenticate, but also use regular service accounts within the cluster.
While it seems to work within my namespace, it looks as if i cannot grant service accounts access to cluster scoped ressources :
apiVersion: v1
kind: ServiceAccount
metadata:
name: dummy-admin
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to
# read secrets in any namespace.
kind: RoleBinding
metadata:
name: exmple-binding
subjects:
- kind: User
name: dummy-admin # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: example-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: Pod
metadata:
name: kubectl
spec:
serviceAccountName: dummy-admin
containers:
- name: kubectl
image: bitnami/kubectl
# Just spin & wait forever
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
Applying this config, and running kubectl exec -ti pod/kubectl -- /bin/bash
and trying to list nodes, give me this error:
I have no name!@kubectl:/$ kubectl get all
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "pods" in API group "" in the namespace "jaiv"
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicationcontrollers" in API group "" in the namespace "jaiv"
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "services" in API group "" in the namespace "jaiv"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "daemonsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "deployments" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicasets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "statefulsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "jaiv"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "cronjobs" in API group "batch" in the namespace "jaiv"
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "jobs" in API group "batch" in the namespace "jaiv"
In this case, I see I am the correct identity, and would expect to be allowed to list resources in my namespace.
2
Answers
I finally found my mistake.
When doing the rolebinding, there are three different subject types: User, Group & ServiceAccount. I was using User as a subject kind, and instead needed to define the rolebinding as:
In your code you use
role
androlebindings
instead ofclusterroles
andclusterrolebdingins
. Those are differents resources type.You are creating a service account in the
default
namespace and try to do something on thejaiv
namespace. Try to instead use aClusterRole
and aClusterRoleBinding
. It also works for namepaced resources but clusterwide. (It is created identically, just has a different name)More details here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole