Kubernetes cluster role with permissions to watch events

Asked 9/3, 2020 at 22:10 Answered 22/9, 2021 at 19:18

I'm trying to create a cluster role with permissions to watch events, but it seems that I'm missing something.

I'm using the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: watch-events
  namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: watch-events-cluster
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: watch-events-cluster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: watch-events-cluster
subjects:
- kind: ServiceAccount
  name: watch-events
  namespace: test

No mater what I try with kubectl auth can-i watch events --as watch-events I always get a no.

Am I missing something?

Salvatore answered 9/3, 2020 at 22:10 Comment(0)

The RBAC is correct and will give cluster wide permission to watch events across all namespaces but the kubectl command is incorrect.The command should be

kubectl auth can-i watch events --as=system:serviceaccount:test:watch-events

Cuyp answered 10/3, 2020 at 5:59 Comment(5)

hello @arghya, this also doesn't work, and according to k8s documentation: ClusterRoleBinding may be used to grant permission at the cluster level and in all namespaces. kubernetes.io/docs/reference/access-authn-authz/rbac/… So I shouldn't be limited to -n test in this case. – Salvatore 10/3, 2020 at 7:13

So you still get no..I tried the same command and same rbac and I got yes. I tried removing -n as well and still got yes which is expected. Yes you are right cluster role gives cluster wide permission – Cuyp 10/3, 2020 at 7:15

You are right @Arghya... Worked now... I couldn't find in the k8s documentation why I have to use system:serviceaccount:test: though. – Salvatore 10/3, 2020 at 7:45

this looks a fake command, if you run with --as=system:serviceaccount:test:watch-even, event the account is not exist, you still get yes and this command doen't report the problem. – Boisleduc 10/3, 2020 at 9:53

its for impersonating a user or service account. I am aware that it does not report problem properly but this is AFAIK a handy command to test permission of a user or service account..Do you have a better alternative? – Cuyp 10/3, 2020 at 10:17

If you are making api calls against the swagger api for Kubernetes, you need to specify the Events api group properly with the suffix .k8s.io

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#-strong-api-groups-strong-

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: my-custom-role
  namespace: default
rules:
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - '*'
---

Pigmy answered 22/9, 2021 at 19:18 Comment(0)

-1

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions

Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).

Boisleduc answered 10/3, 2020 at 4:30 Comment(1)

Op has defined a cluster role and grant though? – Aggi 10/3, 2020 at 9:5

Recommended topics

Hot tags