Page MenuHomePhabricator

Tool account cannot list all namespaced objects in its Kubernetes namespace
Open, Needs TriagePublic

Description

$ kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found >/dev/null

Error from server (Forbidden): podtemplates is forbidden: User "k8s-status" cannot list resource "podtemplates" in API group "" in the namespace "tool-k8s-status"
Error from server (Forbidden): serviceaccounts is forbidden: User "k8s-status" cannot list resource "serviceaccounts" in API group "" in the namespace "tool-k8s-status"
Error from server (Forbidden): leases.coordination.k8s.io is forbidden: User "k8s-status" cannot list resource "leases" in API group "coordination.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): networkpolicies.crd.projectcalico.org is forbidden: User "k8s-status" cannot list resource "networkpolicies" in API group "crd.projectcalico.org" in the namespace "tool-k8s-status"
Error from server (Forbidden): networksets.crd.projectcalico.org is forbidden: User "k8s-status" cannot list resource "networksets" in API group "crd.projectcalico.org" in the namespace "tool-k8s-status"
Error from server (Forbidden): events.events.k8s.io is forbidden: User "k8s-status" cannot list resource "events" in API group "events.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): pods.metrics.k8s.io is forbidden: User "k8s-status" cannot list resource "pods" in API group "metrics.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "k8s-status" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "k8s-status" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): podpresets.settings.k8s.io is forbidden: User "k8s-status" cannot list resource "podpresets" in API group "settings.k8s.io" in the namespace "tool-k8s-status"

I am honestly not sure if all of these should be listable or not, but it seems useful to take a look and decide why a tool would be refused the ability to see these resource types if they do exist in the tool's namespace.

Event Timeline

bd808 created this task.Wed, Jan 15, 4:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Jan 15, 4:11 AM

Some of this is a quirk of the query. It might be better to test using the auth can-i method.

toolsbeta.test@toolsbeta-sgebastion-04:~$ /usr/bin/kubectl auth can-i list events
yes
Bstorm added a comment.EditedWed, Jan 15, 7:00 PM

In general most of those are not listable to remove unnecessary or disallowed APIs from shell users. networkpolicies is that other one, besides events, that you can list because you are able to interact with them (they are flagged only because of the way that command tried to interact with them or the particular version, etc.). Interestingly, you cannot list events on the old cluster.

Direct interaction with the metrics systems for tools users is discouraged unless they have explicit permissions (such as the k8s-status-obs serviceaccount) since it runs in a different privilege setup than tools do, for instance.

Nothing at the calico CRD level is really something users can touch, so, while it can be public info on dashboards and such, I'd rather keep it out of shells.

Leases are backend stuff. The Wizard of Oz notion.

Podtemplates are not included in much of any permissions (or documentation) for a good reason: https://stackoverflow.com/questions/54060270/how-to-use-podtemplate

I could be convinced on podpresets, but it is an alpha API. I'm not sure it's a good idea to expose it much.