Skip to content
This repository has been archived by the owner on Aug 29, 2022. It is now read-only.

-query-k8s, -include-unqualified option(s) require RBAC permissions #33

Open
fred-vogt opened this issue Aug 15, 2020 · 2 comments
Open

-query-k8s, -include-unqualified option(s) require RBAC permissions #33

fred-vogt opened this issue Aug 15, 2020 · 2 comments

Comments

@fred-vogt
Copy link

Specifically get,list are needed for pods, services in the default API group when using these options:

- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list"]

Consider adding this to the README.

kube apiserver logs:

Could not query pod "<pod>" in namespace "<namespace>": 
  pods "<pod>" is forbidden: 
  User "system:serviceaccount:kube-system:<name>" 
  cannot get resource "pods" in API group "" in the namespace "<namespace>"
@johngmyers
Copy link
Member

The services-lister ClusterRole in kapprover is what we grant to allow use of these options. This does deserve to be documented.

@fred-vogt
Copy link
Author

fred-vogt commented Aug 15, 2020
edited
Loading

Make sense, given the library comes from that project. I can send over a PR that mentions creating an extra role binding.

But - given MutatingWebhook - admissionregistration/v1beta1 supports using a full URL in the clientConfig field, I think using -query-k8s + -include-unqualified isn't needed for most admission controller use cases after all.

KOPS specific

KOPS does have a configurable service default DNS suffix setting - so its safe to make assumptions about its value because it is user configurable from a manifest file / edit.

I'll test today with MutatingWebhook::webhook[*].url field and an FQDN.

Perhaps + url and -query-k8s is the best combo. (no -include-unqualified).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johngmyers @fred-vogt