Closed embik closed 2 months ago
I think the difference is that front-proxy strips some (crucial) information from the request. This is kubectl auth whoami
via front-proxy:
$ kubectl auth whoami --token='$(kubectl create token example-controller)'
ATTRIBUTE VALUE
Username system:serviceaccount:default:example-controller
Groups [system:authenticated system:serviceaccounts system:serviceaccounts:default]
This is it via kcp directly:
$ kubectl auth whoami --token="$(kubectl create token example-controller)"
ATTRIBUTE VALUE
Username system:serviceaccount:default:example-controller
UID efa18c76-0d94-4308-9c4b-2cff46251e69
Groups [system:serviceaccounts system:serviceaccounts:default system:authenticated]
Extra: authentication.kubernetes.io/cluster-name [2ex1t1t6emfti3sc]
Extra: authentication.kubernetes.io/credential-id [JTI=79cbeb53-d476-43df-99a8-70e66e038810]
Describe the bug
When using ServiceAccounts to talk to kcp, we discovered that they behave differently depending on whether you are talking to a kcp server directly or to kcp-front-proxy. When talking to kcp itself, a ServiceAccount only needs permissions to access respective resources within their home workspace to function. kcp-front-proxy however adds the requirement to have the
access
verb on/
in the "home" workspace that the ServiceAccount exists in. This does not exist when talking to kcp directly.As per this Slack thread, ServiceAccounts should have implicit access to the workspace they have been created in.
Steps To Reproduce
kubectl ws create wildwest --enter
./
nonResourceURL):Expected Behaviour
ServiceAccounts should not need the
/
nonResourceURL access permission when accessing a workspace through the front-proxy.Additional Context
No response