Home > Software design >  Kubernetes 403 Forbidden querying API with good RBAC credentials
Kubernetes 403 Forbidden querying API with good RBAC credentials

Time:09-06

Final update: Apparently there was some sort of issue with the variables defined in the curl command when redefined them after closing the connection to the cluster, command started working.


The setup is simple, on learning environment. i created ServiceAccount, Role & Rolebinding

Trying to query pods or Services, i'm getting:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "services is forbidden: User \"system:serviceaccount:default:myscript\" cannot list resource \"services\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403

I don't know where i'm failing. Originally i had only get, list and delete verbs. but even after using wildcard '*' keeps saying forbidden.

Here's some info from the cluster:

Query command: curl -X GET $SERVER/api/v1/namespaces/default/services --header "Authorization: Bearer $MYSCRIPT_TOKEN" --cacert /etc/kubernetes/pki/ca.crt

ubuntu@master:~/$ kubectl describe sa myscript
Name:                myscript
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              myscript-token
Events:              <none>

ubuntu@master:~/$ kubectl get role script-role
NAME          CREATED AT
script-role   2022-09-04T10:44:22Z

ubuntu@master:~/$ kubectl get rolebinding script-rb -o wide
NAME        ROLE               AGE   USERS   GROUPS   SERVICEACCOUNTS
script-rb   Role/script-role   57m                    default/myscript

ubuntu@master:~/$ kubectl describe role script-role
Name:         script-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources         Non-Resource URLs  Resource Names  Verbs
  ---------         -----------------  --------------  -----
  pods              []                 []              [*]
  services          []                 []              [*]
  deployments.apps  []                 []              [get list delete]

Update:

few can-i commands that evidence RBAC should be good.

ubuntu@master:~$ kubectl auth can-i get services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i list services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete deploy --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i update  deploy --as system:serviceaccount:default:myscript
no

ServiceAccount manifest.

ubuntu@master:~$ kubectl get sa myscript -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-09-04T10:35:47Z"
  name: myscript
  namespace: default
  resourceVersion: "675592"
  uid: ab3b3c20-e3b9-405a-a9e9-e4f65ac13f5c

Role manifest

ubuntu@master:~$ kubectl get role script-role -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"script-role","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods","services"],"verbs":["get","list","delete"]},{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","list","delete"]}]}
  creationTimestamp: "2022-09-04T10:44:22Z"
  name: script-role
  namespace: default
  resourceVersion: "681508"
  uid: a1b03864-081e-4d0a-bf54-9c69f6f6c17e
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - delete

RoleBinding manifest

ubuntu@master:~$ kubectl get rolebinding script-rb -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"script-rb","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"script-role"},"subjects":[{"kind":"ServiceAccount","name":"myscript","namespace":"default"}]}
  creationTimestamp: "2022-09-04T10:46:05Z"
  name: script-rb
  namespace: default
  resourceVersion: "676627"
  uid: dbdcef8f-6a30-4cd3-8152-2626c2284c83
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: script-role
subjects:
- kind: ServiceAccount
  name: myscript
  namespace: default

CodePudding user response:

2 questions:

  1. Can you share the manifests of Role, RoleBinding and ServiceAccount?
  2. Are you able to verify the working of your Role & RoleBinding with ServiceAccount using the kubectl auth can-i command?
// kubectl auth can-i <verb> <resource> -n <namespace> --as system:service:<namespace>:<service-account-name> 
kubectl auth can-i get service --as system:serviceaccount:default:myscript
  • Related