0

Using minikube, when running the following command:

kubectl -v=11 --kubeconfig /dev/null --insecure-skip-tls-verify -s http://localhost:8001 --token "invalid" -n namespace get pods

I have an answer when I don't want one. And I don't know how it was authorized. Moreover, if I use a valid token with specific rights, these are not used.

kubectl --token=$TOKEN doesn't run with the permissions of the token doesn't answer my question as I specified to used /dev/null as a config file.

Any idea ?

Neok
  • 680
  • 1
  • 9
  • 22
  • I get 401 with this command which is expected...and I am not on minikube – Arghya Sadhu Aug 03 '20 at 16:10
  • Why not use a `kube-proxy` ? – Roman Kiselenko Aug 03 '20 at 16:45
  • As the linked question, I guess that the authentication is done using client certificate. But for a testing purpose, I do not wan't it involve, and cannot found an option on kubectl command to confirm this assumption and disabled it if confirmed. – Neok Aug 03 '20 at 17:07
  • kube-proxy is unrelated. kubectl command must have a way to use his token as specified. – Neok Aug 03 '20 at 17:11
  • Another odd thing, the associated permissions when the token is ignored are not the same as kubectl exec works without but doesn't with. – Neok Aug 03 '20 at 17:16
  • Where are you running minikube from? `8001` doesn't seem either the default port or the port that minikube would use for the kube-apiserver? – Rico Aug 03 '20 at 22:02
  • 1
    It looks like you are using `kubectl proxy` (guessing because localhost:8001). Can you confirm? @Neok – Matt Aug 04 '20 at 07:26
  • I confirm, so I can address to the Kubernetes apiserver – Neok Aug 04 '20 at 08:04
  • Ok, so with the minikube api endoint it works fine (didn't know about it). I'll definitly look up what kubectl proxy was doing. – Neok Aug 04 '20 at 08:58
  • 1
    Using kubectl proxy you are already authorized as other user and this is why it is working. Does this answer your question? @Neok – Matt Aug 04 '20 at 12:18
  • Definitely! Not within the scope of the question, but would you know where I can find out about this proxy user's permissions? (just to check up on it.) – Neok Aug 04 '20 at 13:30
  • 1
    You can run `kubectl auth can-i --list` to list your permissions. @Neok – Matt Aug 05 '20 at 07:21

1 Answers1

1

I will try to summarize the answer I provided in the comments.

The question was: Why does running kubectl -s http://localhost:8001 --kubeconfig /dev/null --token <invalid_token> (where :8001 is a port opened by kubectl proxy) repoonds as if I was authorized, when it shouldn't beacause I set all possible authorization options to null or incorrect values?

The answer is that kubectl proxy opens a port and handles all authorization for you so you dont have to. Now to access REST api of kubernetes all you need to do is to use curl localhost:8001/.... No tokens and certificates.

Because you are already authorized with kubectl proxy, using kubectl and pointing it to localhost:8001 is causing that it won't need to authorize and you won't need any tokens to access k8s.

As an alternative you can check what happens when you run the same but instead of connecting through kubectl proxy you use kubernetes port directly.

You mentioned that you are using minikube so by default that would be port 8443

$ kubectl --kubeconfig /dev/null -s https://$(minikube ip):8443 --token "invalid" --insecure-skip-tls-verify get pods

error: You must be logged in to the server (Unauthorized)

As you see now it works as expected.

Matt
  • 7,419
  • 1
  • 11
  • 22