Login/Register
RBAC role to manage single pod with dynamic name
Asked Answered
Solved kubernetesrolesrbackubernetes-podkubernetes-deployment
C

1

13

I need to grant access to one deployment and all pods of this deployment using RBAC. I've managed to configure Role and RoleBinding for the deploymet, and it's working fine:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments"]
    resourceNames: ["<deployment>"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: <deployment>-manager-binding
  namespace: <my-namespace>
subjects:
  - kind: User
    name: <username>
    apiGroup: ""
roleRef:
  kind: Role
  name: <deployment>-manager-role
  apiGroup: ""

Using this role user can access, update and patch the deployment. This deployment creates pods with dynamic names (like <deployment>-5594cbfcf4-v4xx8). I tried to allow this user to access these pods (get, list, watch, read logs, exec, delete) using deployment name and using deployment name + wildcard char *:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-pods-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["pods"]
    resourceNames: ["<deployment>*"]
    verbs: ["get", "list", "watch", "update", "patch", "exec", "delete"]

I also updated the role binding. But when I try to get the pod:

kubectl --context=<username>-ctx -n <namespace> get pods <deployment>-5594cbfcf4-v4xx8

I'm getting error:

Error from server (Forbidden): pods "<deployment>-5594cbfcf4-v4xx8" is forbidden: User "<username>" cannot get resource "pods" in API group "" in the namespace "<namespace>"

If I add <deployment>-5594cbfcf4-v4xx8 to the list of resourceNames, user can access this pod.

Is it possible to grant access to the specific pods based on deployment name?

Clack answered 24/12, 2019 at 8:26 Comment(1)
Permissions is usually set by namespace, use that model instead - it will be easier.Kaohsiung
P
24

In Kubernetes, pods are considered as an ephemeral "cattle", they come and go. You shouldn't try to manage RBAC per pod.

In your use case, there is unfortunately no way to grant a role over a set of pods matching a certain name, because the resourceNames field doesn't support patterns like prefixes/suffixes. Don't get confused: a single asterisk character ('*') has a special meaning that means "all", but it's not a pattern. So, 'my-app-* in resourceNames will not work. There were tickets opened for this feature, but it wasn't implemented:
https://github.com/kubernetes/kubernetes/issues/56582

There was also a request to be able to manage RBAC over labels, but that feature isn't implemented neither:
https://github.com/kubernetes/kubernetes/issues/44703

Therefore, you probably need to change your model to grant roles to users to manage all pods in a certain namespace. Your deployment should be the only "source of pods" in that namespace. That way, you will not need to specify any resource names.

Protochordate answered 24/12, 2019 at 15:59 Comment(1)
Personally feel like this is a major weakness with RBAC, because that kind of fine-graimed permission is often necessary. For instance, I want to be able to give devs exec access to their deployment's pods for debugging, but not to others. Argh. I'm a bit frustrated.Reider

© 2022 - 2024 — McMap. All rights reserved.