-2

I am using Google cloud's GKE for my kubernetes operations.

I am trying to restrict access to the users that access the clusters using command line. I have applied IAM roles in Google cloud and given view role to the Service accounts and users. It all works fine if we use it through api or "--as " in kubectl commands but when someone tries to do a kubectl create an object without specifying "--as" object still gets created with "default" service account of that particular namespace.

To overcome this problem we gave restricted access to "default" service account but still we were able to create objects.

$ kubectl auth can-i create deploy --as default -n test-rbac
no

$ kubectl run nginx-test-24 -n test-rbac --image=nginx
deployment.apps "nginx-test-24" created

$ kubectl describe  rolebinding default-view -n test-rbac
Name:         default-view
Labels:       <none>
 Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  view
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  default  test-rbac

I expect users who are accessing cluster through CLI should not be able to create objects if they dont have permisssions, even if they dont use "--as" flag they should be restricted.

Badmaash
  • 29
  • 3

2 Answers2

0

Please take in count that first you need to review the prerequisites to use RBAC in GKE

Also, please note that IAM roles applies to the entire Google Cloud project and all clusters within that project and RBAC enables fine grained authorization at a namespace level. So, with GKE these approaches to authorization work in parallel.

For more references, please take a look on this document RBAC in GKE

Raul Bautista
  • 131
  • 3
  • Well, whatever you told is pretty basic and I guess everyone here knows about it. Anyways, thanks for trying. – Badmaash Jan 16 '19 at 04:46
0

For all the haters of this question, I wish you could've tried pointing to this:

there is a file at:

~/.config/gcloud/configurations/config_default

in this there is a option under [container] section: use_application_default_credentials

set to true

Here you go , you learnt something new.. enjoy. Wish you could have tried helping instead of down-voting.

Badmaash
  • 29
  • 3