Skip to content

kubectl auth can-i fails when using user impersonation (--as) for ServiceAccounts #41988

New issue
New issue
Closed
Closed
kubectl auth can-i fails when using user impersonation (--as) for ServiceAccounts#41988
Assignees
raulcabelloPriyashetty17nickwsuse
Labels
JIRATo be used in correspondence with the internal ticketing system.QA/Larea/authenticationkind/enhancementIssues that improve or augment existing functionalitypriority/0release-noteNote this issue in the milestone's release notesteam/colliethe team that is responsible for auth and rbac within rancher
Milestone
v2.10.0
@lindhe

Description

@lindhe
lindhe
opened on Jun 30, 2023

Rancher Server Setup

  • Rancher version: v2.7.3
  • Installation option (Docker install/Helm Chart): Helm chart
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE2 v1.25.9+rke2r1
  • Proxy/Cert Details: Not sure what information you are asking for here.

Information about the Cluster

  • Kubernetes version: v1.25.9+rke2r1
  • Cluster Type (Local/Downstream): Downstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): Custom

User Information

  • What is the role of the user logged in? Admin

Describe the bug

User impersonation fails for the kubectl auth can-i command towards downstream Rancher clusters.

To Reproduce

  1. Apply the following manifest:

    ---
apiVersion: v1
kind: Namespace
metadata:
  name: test
spec: {}
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: issue
  namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: issue
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: issue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: issue
subjects:
- kind: ServiceAccount
  name: issue
  namespace: test

  2. Check if the new ServiceAccount can get namespaces:

    kubectl --as system:serviceaccount:test:issue auth can-i get namespaces

Result

$ kubectl --as system:serviceaccount:test:issue auth can-i get namespaces
Error from server (Forbidden): {"Code":{"Code":"Forbidden","Status":403},"Message":"clusters.management.cattle.io \"c-m-qqpj5fml\" is forbidden: User \"system:serviceaccount:test:issue\" cannot get resource \"clusters\" in API group \"management.cattle.io\" at the cluster scope","Cause":null,"FieldName":""} (post selfsubjectaccessreviews.authorization.k8s.io)

Expected Result

$ kubectl --as system:serviceaccount:test:issue auth can-i get namespaces
Warning: resource 'namespaces' is not namespace scoped

yes

Additional context

It seems like the issue here lies with the Rancher proxy. Because if I bypass it things works as expected:

$ SA_TOKEN="$(kubectl -n test create token issue)"

$ kubectl --insecure-skip-tls-verify --server "https://192.0.2.2:6443" --token "${SA_TOKEN:?}" auth can-i get ns
Warning: resource 'namespaces' is not namespace scoped

yes

$ kubectl --insecure-skip-tls-verify --server "https://192.0.2.2:6443" --token "${SA_TOKEN:?}" auth can-i create ns
Warning: resource 'namespaces' is not namespace scoped

no

Metadata

Metadata

Assignees

Labels

JIRATo be used in correspondence with the internal ticketing system.QA/Larea/authenticationkind/enhancementIssues that improve or augment existing functionalitypriority/0release-noteNote this issue in the milestone's release notesteam/colliethe team that is responsible for auth and rbac within rancher

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions