0

in order to make a high availability test in kubernetes cluster, i use a tool such as chaoskube or kube-monkey , which kills random pods in namespaces to create a "chaos" and to see how the system and applications will react.

by default these tools need a cluster role, in order to let its service account to list/kill pods for all namespaces in cluster. in my situation i want to install this tool and make the test just in one namespace (namespace x) is there any way to restrict the permissions of the service account just to give it the permissions to list/kill pods from (namespace x) and the whole cluster ?

i already tried to create a role & rolebinding in (namespace x) but still have the same RBAC error, as the service account expects to have the cluster permissions :

"pods is forbidden: User \"system:serviceaccount:x:chaoskube-sa\" cannot list resource \"pods\" in API group \"\ at the cluster scope"

update: role & rolebinding this is the default permissions for its service account:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: chaoskube-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: chaoskube-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: chaoskube-role
subjects:
- kind: ServiceAccount
  name: chaoskube-sa
  namespace: x

with these configration it works fine. now with restricted permissions for a specific namespace :

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: chaoskube-role
  namespace: x
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: chaoskube-rolebinding
  namespace: x
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: chaoskube-role
subjects:
- kind: ServiceAccount
  name: chaoskube-sa
  namespace: x

it can not list the pods , and i receive the RBAC error.

D.MO
  • 1
  • 1
  • "i already tried to create a role & rolebinding in (namespace x)" Show us what you've tried? It sounds like you're on the right track. – larsks Feb 17 '22 at 12:35
  • @larsks I have tried to create namespace role&rolebinding like above. however it did not help. – D.MO Feb 17 '22 at 12:57
  • I tried to reproduce your problem, but using your manifests (just with name changes) it all seems to work as expected. You can see my complete example [here](https://github.com/larsks/so-example-71157808). – larsks Feb 17 '22 at 15:07
  • @larsks thank you for providing the example. this is true , in this way the service account can list the pods from namespace x , this can be verified with kubectl : (( kubectl auth can-i list pods --as=system:serviceaccount:x:chaoskube-sa -n yes )) but the problem that the tool itself (kube-monkey/caoskube) did not accept the namespace role and expected just a clusterrole. so even with creating the namespace role i got the RBAC error. maybe it is just built so, and could not be customized – D.MO Feb 18 '22 at 07:57

0 Answers0