stackoom
  简体   繁体   中英

Kubernetes 403 Forbidden querying API with good RBAC credentials

 原文  2022-09-04 11:57:42       api/ kubernetes/ http-status-code-403/ rbac

Question

Final update : Apparently there was some sort of issue with the variables defined in the curl command when redefined them after closing the connection to the cluster, command started working.

The setup is simple, on learning environment. i created ServiceAccount , Role & Rolebinding

Trying to query pods or Services, i'm getting:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "services is forbidden: User \"system:serviceaccount:default:myscript\" cannot list resource \"services\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403

I don't know where i'm failing. Originally i had only get , list and delete verbs. but even after using wildcard '*' keeps saying forbidden.

Here's some info from the cluster:

Query command : curl -X GET $SERVER/api/v1/namespaces/default/services --header "Authorization: Bearer $MYSCRIPT_TOKEN" --cacert /etc/kubernetes/pki/ca.crt

ubuntu@master:~/$ kubectl describe sa myscript
Name:                myscript
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              myscript-token
Events:              <none>

ubuntu@master:~/$ kubectl get role script-role
NAME          CREATED AT
script-role   2022-09-04T10:44:22Z

ubuntu@master:~/$ kubectl get rolebinding script-rb -o wide
NAME        ROLE               AGE   USERS   GROUPS   SERVICEACCOUNTS
script-rb   Role/script-role   57m                    default/myscript

ubuntu@master:~/$ kubectl describe role script-role
Name:         script-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources         Non-Resource URLs  Resource Names  Verbs
  ---------         -----------------  --------------  -----
  pods              []                 []              [*]
  services          []                 []              [*]
  deployments.apps  []                 []              [get list delete]

Update:

few can-i commands that evidence RBAC should be good.

ubuntu@master:~$ kubectl auth can-i get services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i list services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete deploy --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i update  deploy --as system:serviceaccount:default:myscript
no

ServiceAccount manifest. 

ubuntu@master:~$ kubectl get sa myscript -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-09-04T10:35:47Z"
  name: myscript
  namespace: default
  resourceVersion: "675592"
  uid: ab3b3c20-e3b9-405a-a9e9-e4f65ac13f5c

Role manifest 

ubuntu@master:~$ kubectl get role script-role -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"script-role","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods","services"],"verbs":["get","list","delete"]},{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","list","delete"]}]}
  creationTimestamp: "2022-09-04T10:44:22Z"
  name: script-role
  namespace: default
  resourceVersion: "681508"
  uid: a1b03864-081e-4d0a-bf54-9c69f6f6c17e
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - delete

RoleBinding manifest 

ubuntu@master:~$ kubectl get rolebinding script-rb -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"script-rb","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"script-role"},"subjects":[{"kind":"ServiceAccount","name":"myscript","namespace":"default"}]}
  creationTimestamp: "2022-09-04T10:46:05Z"
  name: script-rb
  namespace: default
  resourceVersion: "676627"
  uid: dbdcef8f-6a30-4cd3-8152-2626c2284c83
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: script-role
subjects:
- kind: ServiceAccount
  name: myscript
  namespace: default

1 answers

solution1
 0 ACCPTED  2022-09-05 03:43:56

2 questions:

  1. Can you share the manifests of Role , RoleBinding and ServiceAccount ?
  2. Are you able to verify the working of your Role & RoleBinding with ServiceAccount using the kubectl auth can-i command ?
// kubectl auth can-i <verb> <resource> -n <namespace> --as system:service:<namespace>:<service-account-name> 
kubectl auth can-i get service --as system:serviceaccount:default:myscript

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question kubernetes api access forbidden 403 Forbidden in Yandex Weather API Android Google Drive API Exception: 403 Forbidden AWS Config API returning 403: Forbidden Error 403 forbidden error with spring boot API call? Xively REST API with cURL - 403 Forbidden Python - working with GitLab API 403 Forbidden Error Getting 403 (forbidden) error on VirusTotal API Why Pocket API returns 403 Forbidden always? Laravel Passport API Status Code:403 Forbidden
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM