0

I want to make a very simple example to learn how to use RBAC authorization in kubernetes. Therefore I use the example from the docs:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: dev-readpods-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-tester-rolebinding
  namespace: dev
subjects:
- kind: User
  name: Tester
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-readpods-role
  apiGroup: rbac.authorization.k8s.io

The role and the rolebinding are created.

When I log in with Tester and try

kubectl get pods -n dev

I get 

Error from server (Forbidden): pods is forbidden: User "<url>:<port>/oidc/endpoint/OP#Tester" cannot list pods in the namespace "dev"

I read here (RBAC Error in Kubernetes) that the api-server have to be started with --authorization-mode=…,RBAC. How can I check this? I read somewhere else that if I run

kubectl api-versions | findstr rbac

and find entries RBAC should be activated. Is that true?

What am I doing wrong? Is there a good way to troubleshoot?

Thanks!

P.S. I'm running kubernetes inside IBM Cloud Private.

Fdot
  • 67
  • 1
  • 6

2 Answers2

0

You would need to determine the invocation of the apiserver to see what --authorization-mode flag was passed to it. Normally this is contained in a systemd unit file or pod manifest. I'm not sure how IBM Cloud launches the apiserver

Jordan Liggitt
  • 16,933
  • 2
  • 56
  • 44
  • I found another way (I'll ask my system admin for a good one, as soon as he is back). "ps -aux | grep apiserver" And "--authorization-mode=RBAC" is set, but it is not working (the example). What can be wrong? – Fdot Sep 24 '18 at 13:39
  • Update: When I'm logged in as admin and run "kubectl auth can-i list pods --namespace dev --as Tester" it responds "yes". When I log in as Tester and run "kubectl auth can-i list pods --namespace dev" it responds "no". I'm logging with "kubectl config set-credentials Tester --token=..." and "kubectl config set-context cluster.local-context --user=Tester --namespace=undefined". So it seems that the Tester in the Role is not the same as the Tester I log in? – Fdot Sep 24 '18 at 14:00
0

In ICP, it looks encouraging to use Teams (ICP's own term, I think). Try starting with it. But you need an LDAP server outside of ICP. https://www.ibm.com/support/knowledgecenter/en/SSBS6K_2.1.0.3/user_management/admin.html

Sohtaroh Satoh
  • 16
  • Thanks. I solved it by clicking at the admin console. Not very nice, but it works now. – Fdot Sep 25 '18 at 07:46