-
Notifications
You must be signed in to change notification settings - Fork 558
Request Help to Specify --authorization-mode in API Model for k8s RBAC #680
Comments
Here is a useful intro to enable k8s RBAC: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/. Consider enabling with AAD. |
@anhowe How does this tutorial explain how to enable RBAC? All it says is |
One more thing: To allow the default user (client certificate with subject: CN=client) have the permission to create/edit all ClusterRoles and Roles, it must have all the permissions "via an RBAC role binding". The easiest way is to make the default user in the system:masters group. In other words, add the organization (system:masters) into the subject of the certificate, i.e. CN=client/O=system:masters. |
@robbiezhang That almost did the trick for me thanks :) Also needed to add a ServiceAccount and Rolebinding for heapster and a ServiceAccount for kube-dns (has default RoleBinding). See: https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/rbac/heapster-rbac.yaml & https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/google/heapster.yaml as well as https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/kubedns-sa.yaml |
I'm having the same problem with RBAC. cant activate it. tried adding in kube-apiserver.yaml |
@Anmorata interesting, I didn't have this problem. Which k8s version do you use? It's only available after v1.6.0. I tried on v1.6.2 and v1.6.6, both works. |
I'm using version 1.6.6. installed it with acs-engine.kube-apiserver starts with modified the yaml file and added: kubectl get clusterrole returns:No resources found. and cant create any by myself |
I guess you need to use ABAC also, since you add the --authorization-policy-file option. However, the user still doesn’t have permission to create any RBAC role or clusterrole, as it must have all the permissions described in that role via an RBAC role binding |
Is this a request for help?:
yes
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST
k8s 1.6+ supports RBAC/ABAC. However, it requires the API server start with extra parameters, e.g. --authorization-mode=RBAC,ABAC --authorization-policy-file=mypolicy.json
Currently, there is no way to specify them in the API model.
Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm)
Kubernetes 1.6+
What happened:
I'm unable to enable the RBAC for my cluster.
What you expected to happen:
In API model, I can define the --authorization-mode or --authorization-policy-file for apiserver.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
You can specify multiple mode in the --authorization-mode, e.g. --authorization-mode=RBAC,ABAC. It's important for RBAC, since RBAC requires initial super user to setup the other roles.
The text was updated successfully, but these errors were encountered: