Page MenuHomePhabricator

Tool account cannot list all namespaced objects in its Kubernetes namespace
Closed, ResolvedPublic

Description

$ kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found >/dev/null

Error from server (Forbidden): podtemplates is forbidden: User "k8s-status" cannot list resource "podtemplates" in API group "" in the namespace "tool-k8s-status"
Error from server (Forbidden): serviceaccounts is forbidden: User "k8s-status" cannot list resource "serviceaccounts" in API group "" in the namespace "tool-k8s-status"
Error from server (Forbidden): leases.coordination.k8s.io is forbidden: User "k8s-status" cannot list resource "leases" in API group "coordination.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): networkpolicies.crd.projectcalico.org is forbidden: User "k8s-status" cannot list resource "networkpolicies" in API group "crd.projectcalico.org" in the namespace "tool-k8s-status"
Error from server (Forbidden): networksets.crd.projectcalico.org is forbidden: User "k8s-status" cannot list resource "networksets" in API group "crd.projectcalico.org" in the namespace "tool-k8s-status"
Error from server (Forbidden): events.events.k8s.io is forbidden: User "k8s-status" cannot list resource "events" in API group "events.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): pods.metrics.k8s.io is forbidden: User "k8s-status" cannot list resource "pods" in API group "metrics.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "k8s-status" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "k8s-status" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "tool-k8s-status"
Error from server (Forbidden): podpresets.settings.k8s.io is forbidden: User "k8s-status" cannot list resource "podpresets" in API group "settings.k8s.io" in the namespace "tool-k8s-status"

I am honestly not sure if all of these should be listable or not, but it seems useful to take a look and decide why a tool would be refused the ability to see these resource types if they do exist in the tool's namespace.

Event Timeline

bd808 created this task.Jan 15 2020, 4:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2020, 4:11 AM

Some of this is a quirk of the query. It might be better to test using the auth can-i method.

toolsbeta.test@toolsbeta-sgebastion-04:~$ /usr/bin/kubectl auth can-i list events
yes
Bstorm added a comment.EditedJan 15 2020, 7:00 PM

In general most of those are not listable to remove unnecessary or disallowed APIs from shell users. networkpolicies is that other one, besides events, that you can list because you are able to interact with them (they are flagged only because of the way that command tried to interact with them or the particular version, etc.). Interestingly, you cannot list events on the old cluster.

Direct interaction with the metrics systems for tools users is discouraged unless they have explicit permissions (such as the k8s-status-obs serviceaccount) since it runs in a different privilege setup than tools do, for instance.

Nothing at the calico CRD level is really something users can touch, so, while it can be public info on dashboards and such, I'd rather keep it out of shells.

Leases are backend stuff. The Wizard of Oz notion.

Podtemplates are not included in much of any permissions (or documentation) for a good reason: https://stackoverflow.com/questions/54060270/how-to-use-podtemplate

I could be convinced on podpresets, but it is an alpha API. I'm not sure it's a good idea to expose it much.

@bd808 How are we feeling on this? With the exception of the podpresets, I think I'm feeling pretty strongly on keeping the others un-listable at the tool level to prevent opportunistic and hijacked accounts from listing things (that are mostly available information somewhere, but not in their live form). By live form, I mean they can be changed on the fly by Toolforge administrators should anything be happening that warrants it, and that would not be documented publicly to non-admins unless that was done intentionally.

bd808 closed this task as Resolved.Jan 22 2020, 11:12 PM
bd808 claimed this task.

Marking as resolved based on the analysis that @Bstorm has provided. The reasons for these types not being exposed seems solid to me.