Kubernetes RBAC “Allowed by RoleBinding” but “cannot list resource”

1
votes

I'm deploying an application to my Kubernetes cluster that uses the Kubernetes API to list the pods in the cluster (not only the ones in its namespace). The application will live in its own namespace.

The RBAC rules are as follows;

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: kubecontrol-rbac-role-binding
  namespace: kubecontrol
subjects:
  - kind: ServiceAccount
    namespace: kubecontrol
    name: default
roleRef:
  kind: ClusterRole
  name: kubecontrol-rbac-role
  apiGroup: rbac.authorization.k8s.io

As you can see I have a ClusterRole, that grants "list", "get" and "watch" permissions on the "pods" resource, and a RoleBinding that applies this ClusterRole to the default ServiceAccount for the namespace.

When I check the authorisation with kubectl auth can-in, this configuration would appear to be correct;

$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes

$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188   56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}

RBAC: allowed by RoleBinding "kubecontrol-rbac-role-binding/kubecontrol" of ClusterRole "kubecontrol-rbac-role" to ServiceAccount "default/kubecontrol"

However, when I actually try to perform the operation, I get told I'm not allowed to do so;

$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope

I see the same error message in my application.

The user (system:serviceaccount:kubecontrol:default) is identical in both scenarios, so why am I not able to list pods even though according to Kubernetes itself I should be able to? Is there something I'm missing?

1
kuberneteskubectlrbac

1 Answers

3
votes

With --all-namespaces you list the pods in all namespaces of the cluster. But since you used only RoleBinding, you have the rights from the ClusterRole only for given namespace (in your case namespace kubecontrol). You have to use ClusterRoleBinding instead to give you the ClusterRole for the whole cluster.