Why kubernetes default service account has full access to the API on docker desktop?

Question

As far as i know the default service account in Kubernetes should not have any permissions assigned. But still I can perform following from the pod on my docker desktop k8s:

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/pods

How is that posible?

Furhermore I discovered that each pod have a different value of the SA token (cat /var/run/secrets/kubernetes.io/serviceaccount/token) and different from the one returned by kubectl describe secret default-token-cl9ds Shouldn't it be the same?

Update:

$ kubectl get rolebindings.rbac.authorization.k8s.io podviewerrolebinding -o yaml                                                                                              
apiVersion: rbac.authorization.k8s.io/v1                                                                                                                                       
kind: RoleBinding                                                                                                                                                              
metadata:                                                                                                                                                                      
  annotations:                                                                                                                                                                 
    kubectl.kubernetes.io/last-applied-configuration: |                                                                                                                        
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"podviewerrolebinding","namespace":"default"},"roleRef":{"apiGroup"
:"rbac.authorization.k8s.io","kind":"Role","name":"podviewerrole"},"subjects":[{"kind":"ServiceAccount","name":"podviewerserviceaccount"}]}                                    
  creationTimestamp: "2021-09-07T10:01:51Z"                                                                                                                                    
  name: podviewerrolebinding                                                                                                                                                   
  namespace: default                                                                                                                                                           
  resourceVersion: "402212"                                                                                                                                                    
  uid: 2d32f045-b172-4fff-a6b0-1525b0b96e65                                                                                                                                    
roleRef:                                                                                                                                                                       
  apiGroup: rbac.authorization.k8s.io                                                                                                                                          
  kind: Role                                                                                                                                                                   
  name: podviewerrole                                                                                                                                                          
subjects:                                                                                                                                                                      
- kind: ServiceAccount                                                                                                                                                         
  name: podviewerserviceaccount

Hello @Marcin I got "code": 403 for curl request with default service account. Is it different for you? Unfortunately you did't add output. — Andrew Skorkin, Sep 09 '21 at 13:55
kubectl get pods nginx-1.10-7688d7d6cc-49mcp -o yaml returns "serviceAccount: default" and after issuing command "curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/pods" pods definitionts are returned — Marcin, Sep 12 '21 at 17:01
What authorization mode do you use? Could you please check permission for you default service account using next command? kubectl auth can-i --as=system:serviceaccount:: [-n ] For example I used from my side: kubectl auth can-i get pods --as=system:serviceaccount:default:default — Andrew Skorkin, Sep 14 '21 at 08:49
$ kubectl auth can-i get pods --as=system:serviceaccount:default:default yes — Marcin, Sep 14 '21 at 19:07
Ok, that means default service account has non-default rights. Did you check Roles, ClusterRoles? Maybe you have made some changes previously? — Andrew Skorkin, Sep 16 '21 at 22:28
This is a default installation without any additional rolebindings for default sa. Is there a command for checking all the permissions for sa at once? — Marcin, Sep 17 '21 at 12:58
Please include the output of `kubectl get rolebindings.rbac.authorization.k8s.io` — , Sep 23 '21 at 08:55
"podviewerrolebinding Role/podviewerrole 16d" - this is the only output. But this role is not bound to the pod in question — Marcin, Sep 23 '21 at 11:45
How did you provision your cluster? Is it bare-metal or hosted in cloud? — , Sep 24 '21 at 09:58
What is the output of `kubectl get rolebindings.rbac.authorization.k8s.io podviewerrolebinding -o yaml`. Please include it in your original post. Reading command outputs in comments is hard. You can do this by editing your original post. — , Sep 28 '21 at 08:00

score 1 · Answer 1 · answered Sep 29 '21 at 08:15

1

I hit the same issue, it looks like docker desktop has elevated permissions (i.e. admin) by default, see the article here.

Removing the clusterrolebinding docker-for-desktop-binding via the following command fixes the issue.

kubectl delete clusterrolebinding docker-for-desktop-binding

answered Sep 29 '21 at 08:15

Daryl Hurst

11
1

There is a comment in this article (from 2019): "In the last stable and edge, we changed the rule to only affect the kube-system namespace. Let me know if it's still disturbing.". I have docker desktop v 20.10.8 and it is still not working correctly. kubectl describe clusterrolebinding docker-for-desktop-binding returns subject "Group system:serviceaccounts kube-system" – Marcin Sep 30 '21 at 09:33

Why kubernetes default service account has full access to the API on docker desktop?

1 Answers1