Skip to content

Possible gap where rolebindings are used with clusterroles #31

New issue
New issue
Closed
#34
Closed
Possible gap where rolebindings are used with clusterroles#31
#34
Assignees
danielpacak
Labels
bugSomething isn't working
Milestone
v0.1.0
@raesene

Description

@raesene
raesene
opened on Jun 26, 2019

I was looking at a cluster today and noticed that there were some results I was expecting which didn't show up. I think that what might be happening is that kubectl-who-can isn't picking up cases where a RoleBinding is bound to a ClusterRole (the other option is I'm doing something wrong here, which is quite possible :) ).

I did the following test with a vanilla kind cluster.

  • Create a ClusterRole which can get secrets
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
  • Create a new namespace
kubectl create namespace test
  • Create a new service account in the namespace
kubectl -n test create serviceaccount test1
  • Create a RoleBinding in that namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-secrets
  namespace: test
subjects:
- kind: ServiceAccount
  name: test1 
roleRef:
  kind: ClusterRole 
  name: secret-reader 
  apiGroup: rbac.authorization.k8s.io

At this point if I use kubectl auth can-i it shows that the service account can get secrets in that namespace.

kubectl -n test auth can-i get secrets --as=system:serviceaccount:test:test1
yes

However if I use kubectl-who-can like this the test account isn't in the list of subjects

./kubectl-who-can -n test get secrets
No subjects found with permissions to get secrets assigned through RoleBindings

CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACE
cluster-admin                                         system:masters                      Group           
system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-system
system:controller:expand-controller                   expand-controller                   ServiceAccount  kube-system
system:controller:generic-garbage-collector           generic-garbage-collector           ServiceAccount  kube-system
system:controller:horizontal-pod-autoscaler           horizontal-pod-autoscaler           ServiceAccount  kube-system
system:controller:namespace-controller                namespace-controller                ServiceAccount  kube-system
system:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-system
system:kube-controller-manager                        system:kube-controller-manager      User

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions