Closed lake-of-dreams closed 3 years ago
KIND doesn't implement RBAC etc. What you are seeing is a vanilla unpatched kubernetes 1.18.8 API server from upstream which is where all of this is implemented.
Also worth noting: the supported image we supply for 1.18.x with kind v0.10.0 is 1.18.15, see the release notes.
This works consistently on other hosted Kubernetes clusters and issue is only on kind
It would be helpful to be more specific about this.
kubectl auth can-i impersonate serviceaccounts --token=<token-created-in-secret-for-myserviceaccount> --v=10
That command is running as the cluster-admin certificate in your kubeconfig which has precedence over the SA token.
xref: https://github.com/kubernetes/kubernetes/issues/99603
cc @ankeesler
kubectl auth can-i impersonate serviceaccounts --token=<token-created-in-secret-for-myserviceaccount> --v=10
That command is running as the cluster-admin certificate in your kubeconfig which has precedence over the SA token.
Can you please suggest an alternative way so that the token will take precedence? @enj
@lake-of-dreams create a new context in your kubeconfig that uses the SA token:
kubectl config get-clusters # figure out what value to set for KIND_CLUSTER_NAME
kubectl config set-credentials sa_token --token=SA_TOKEN_HERE
kubectl config set-context sa_token_ctx --cluster=KIND_CLUSTER_NAME --user=sa_token
kubectl config use-context sa_token_ctx
kubectl auth can-i impersonate serviceaccounts # no need to specify --token now
@enj I followed the steps you suggested please but I get following error on last line
bash-3.2$ kubectl auth can-i impersonate serviceaccounts
error: You must be logged in to the server (Unauthorized)
That error message means that you failed to authenticate. Perhaps the token has expired.
Thanks a lot @enj , it worked. Thanks much for all the help.
Thanks @enj!
What happened:
allowed
isfalse
which is expected result.kubectl
the result is"allowed":true
and on a subsequent curl command with same headers and body , its"allowed" : false
What you expected to happen: Since the same api is being called from both
kubectl
andcurl
and with same headers/body , it should return same result.How to reproduce it (as minimally and precisely as possible): Create the serviceaccount, cluster role and cluster role binding and try to execute
kubectl
followed bycurl
as mentioned aboveAnything else we need to know?: This works consistently on other hosted Kubernetes clusters and issue is only on kind
Environment:
kind version
):kind v0.10.0 go1.15.7 darwin/amd64
but the cluster was created usingv1.18.8
kubectl version
):docker info
):Server: Containers: 11 Running: 3 Paused: 0 Stopped: 8 Images: 22 Server Version: 20.10.5 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 5.10.25-linuxkit Operating System: Docker Desktop OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 1.941GiB Name: docker-desktop ID: 33ZG:JI56:DXHW:46UM:VKBQ:HQLJ:B5FL:WFAV:O2NU:RDZI:4GGW:A4HK Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false