jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

ABAC Policies required #213

Closed perrefe closed 7 years ago

perrefe commented 7 years ago

I'm trying to make kube-lego work with ABAC authorization mode and observing error logs I could notice the lack of the following policies

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "ingresses"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "nonResourcePath": "/apis/extensions/*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "kube-lego", "resource": "secrets"}}

however, it's still failing trying to write on the ingress resource.

time="2017-06-19T23:37:19Z" level=error msg="Forbidden: \"/apis/extensions/v1beta1/namespaces/kube-lego/ingresses\" (post ingresses.extensions)" context=provider provider=nginx

Any clues on what another policy should be applied?

perrefe commented 7 years ago

I'll respond to myself and to whomever needs ABAC mode + kube-lego + nginx-ingress-controller:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube-admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:kube-dns", "namespace": "*", "resource": "endpoints"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:kube-dns", "namespace": "*", "resource": "services"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "nginx-ingress", "resource": "configmaps"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:nginx-ingress:ingress", "namespace": "*", "resource": "ingresses", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "ingresses", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-lego:kube-lego", "namespace": "kube-lego", "resource": "secrets"}}

The thing here is that ingress resource should incorporate all apiGroup access. (I tried "resource": "ingress", "apiGroup": "extensions", and didn't work)

Here's a gist with my actual policy file: https://gist.github.com/perrefe/6d1bec63d0eab14218fbac50dafbd3fc