Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Request Help to Specify --authorization-mode in API Model for k8s RBAC #680

Closed
robbiezhang opened this issue May 26, 2017 · 8 comments · Fixed by #1143
Closed

Request Help to Specify --authorization-mode in API Model for k8s RBAC #680

robbiezhang opened this issue May 26, 2017 · 8 comments · Fixed by #1143

Comments

@robbiezhang
Copy link

Is this a request for help?:
yes

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

k8s 1.6+ supports RBAC/ABAC. However, it requires the API server start with extra parameters, e.g. --authorization-mode=RBAC,ABAC --authorization-policy-file=mypolicy.json

Currently, there is no way to specify them in the API model.

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm)
Kubernetes 1.6+

What happened:
I'm unable to enable the RBAC for my cluster.

What you expected to happen:
In API model, I can define the --authorization-mode or --authorization-policy-file for apiserver.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
You can specify multiple mode in the --authorization-mode, e.g. --authorization-mode=RBAC,ABAC. It's important for RBAC, since RBAC requires initial super user to setup the other roles.

@anhowe
Copy link
Contributor

anhowe commented Jun 15, 2017

Here is a useful intro to enable k8s RBAC: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/. Consider enabling with AAD.

@Globegitter
Copy link

@anhowe How does this tutorial explain how to enable RBAC? All it says is From Kubernetes 1.6 onwards, RBAC policies are enabled by default. and then it explains how to use RBAC. How can this be enabled via AAD?

@robbiezhang
Copy link
Author

robbiezhang commented Jun 20, 2017

One more thing: To allow the default user (client certificate with subject: CN=client) have the permission to create/edit all ClusterRoles and Roles, it must have all the permissions "via an RBAC role binding". The easiest way is to make the default user in the system:masters group. In other words, add the organization (system:masters) into the subject of the certificate, i.e. CN=client/O=system:masters.

@Globegitter
Copy link

Globegitter commented Jul 6, 2017

@robbiezhang That almost did the trick for me thanks :) Also needed to add a ServiceAccount and Rolebinding for heapster and a ServiceAccount for kube-dns (has default RoleBinding). See: https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/rbac/heapster-rbac.yaml & https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/google/heapster.yaml as well as https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/kubedns-sa.yaml

@Anmorata
Copy link

I'm having the same problem with RBAC. cant activate it. tried adding in kube-apiserver.yaml
--authorization-mode=RBAC
but after restart the field disappears. (I edited the yaml in kubernetes/manifest)
did you find any solution?

@robbiezhang
Copy link
Author

@Anmorata interesting, I didn't have this problem. Which k8s version do you use? It's only available after v1.6.0. I tried on v1.6.2 and v1.6.6, both works.

@Anmorata
Copy link

I'm using version 1.6.6. installed it with acs-engine.kube-apiserver starts with
command:
- "/hyperkube"
- "apiserver"
- "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
- "--address=0.0.0.0"
- "--allow-privileged"
- "--insecure-port=8080"
- "--secure-port=443"
- "--cloud-provider=azure"
- "--cloud-config=/etc/kubernetes/azure.json"
- "--service-cluster-ip-range=10.0.0.0/16"
- "--etcd-servers=http://127.0.0.1:2379"
- "--etcd-quorum-read=true"
- "--advertise-address=10.240.255.5"
- "--tls-cert-file=/etc/kubernetes/certs/apiserver.crt"
- "--tls-private-key-file=/etc/kubernetes/certs/apiserver.key"
- "--client-ca-file=/etc/kubernetes/certs/ca.crt"
- "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
- "--storage-backend=etcd2"
- "--v=4"

modified the yaml file and added:
- "--authorization-mode=RBAC"
- "--authorization-policy-file=/etc/auth/policies.jsonl"
- "--authorization-rbac-super-user=kube-admin"
but no luck :)

kubectl get clusterrole returns:No resources found. and cant create any by myself

@robbiezhang
Copy link
Author

I guess you need to use ABAC also, since you add the --authorization-policy-file option.
Here is my settings:
"--authorization-mode=RBAC,ABAC"
"--authorization-policy-file=mypolicy.json"

However, the user still doesn’t have permission to create any RBAC role or clusterrole, as it must have all the permissions described in that role via an RBAC role binding
If the user has full permissions via another authorizer (ABAC here), you can grant yourself an existing RBAC role (and the permission to bind that role is checked via the full authorizer chain), aka, run
 
kubectl create clusterrolebinding my-root-user --clusterrole=cluster-admin --user=<your root user>

@seanknox seanknox added this to the v0.5.0 milestone Jul 21, 2017
@ghost ghost assigned lachie83 and seanknox Jul 31, 2017
@ghost ghost removed the in progress label Aug 3, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants