Closed perrefe closed 7 years ago
I'll respond to myself and to whomever needs ABAC mode + kube-lego + nginx-ingress-controller:
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube-admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:kube-dns", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:kube-dns", "namespace": "*", "resource": "services"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "nginx-ingress", "resource": "configmaps"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "*", "resource": "ingresses", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "ingresses", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "kube-lego", "resource": "secrets"}}
The thing here is that ingress resource should incorporate all apiGroup access. (I tried "resource": "ingress", "apiGroup": "extensions", and didn't work)
Here's a gist with my actual policy file: https://gist.github.com/perrefe/6d1bec63d0eab14218fbac50dafbd3fc
I'm trying to make kube-lego work with ABAC authorization mode and observing error logs I could notice the lack of the following policies
however, it's still failing trying to write on the ingress resource.
Any clues on what another policy should be applied?