1

I am baffled. kubectl says I can (via the kubectl auth can-i subcommand), but then when I go to perform the action, I can't.

I have installed kubectl on a docker image which is running on a pod managed by a Deployment. When I kubectl exec -it into that pod (which only has a single container) I get this.

user@my-pod:~$ kubectl auth can-i get secrets -n myNamespace
yes

user@my-pod:~$ kubectl get secrets -n myNamespace
Error from server (Forbidden):
secrets is forbidden:
User "system:serviceaccount:myNamespace:myServiceAccount"
cannot list resource "secrets" in API group "" in the namespace "myNamespace"

Here is how my serviceaccount is configured

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myServiceAccount
  namespace: myNamespace

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myRole
  namespace: myNamespace
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "describe"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: myRoleBinding
  namespace: myNamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: myRole
subjects:
- kind: ServiceAccount
  name: myServiceAccount
  namespace: myNamespace

I am first of all curious to know if I am using kubectl auth can-i incorrectly.

Secondly, I would like to be able to authorize this serviceaccount to make this API call. Is there a misconfiguration in my yaml?

Aposhian
  • 113
  • 5

1 Answers1

2

What's going on here is the unfortunate collision between kubectl using get in two different ways, but can-i uses it only in one way. The list of supported verbs for can-i shows up on its reference page

Running:

kubectl auth can-i get secrets -n myNamespace

asks about the get verb specifically. That is the equivalent of kubectl get secret my-awesome-secret. If you want to know about kubectl get secret, that is using the list verb, and thus would be tested via:

kubectl auth can-i list secrets -n myNamespace

The distinction is called out in this table: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

I believe the fix for your Role is to update verbs: to also include "list" if you want to enumerate the Secrets

rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "describe", "list"]
mdaniel
  • 2,561
  • 1
  • 9
  • 13