search

kubernetes / kubernetes

Production-Grade Container Scheduling and Management
https://kubernetes.io
Apache License 2.0
109.65k stars 39.27k forks source link

system:kubelet-api-admin does not have permissions to issue checkpoint. #126232

Open vinayakankugoyal opened 1 month ago

vinayakankugoyal commented 1 month ago

What happened?

kubelet recently started expoing a new checkpoint endpoint. A user must have RBAC nodes/checkpoint permission to call this endpoint. I believe we missed updating the system:kubelet-api-admin ClusterRole.

What did you expect to happen?

I expect system:kubelet-api-admin to have this permission. If this is intentional please document why?

How can we reproduce it (as minimally and precisely as possible)?

system:kubelet-api-admin is configured here https://github.com/kubernetes/kubernetes/blob/b3e769b72ec1eb9d5f4928259633f75d8e373cb9/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L392

The subject access review request for checkpoint endpoint is constructed here:

https://github.com/kubernetes/kubernetes/blob/b3e769b72ec1eb9d5f4928259633f75d8e373cb9/pkg/kubelet/server/auth.go#L108

Anything else we need to know?

No response

Kubernetes version

```console $ kubectl version # paste output here ```

Cloud provider

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)

vinayakankugoyal commented 1 month ago

/sig node /sig auth

vinayakankugoyal commented 1 month ago

/cc @liggitt

vinayakankugoyal commented 1 month ago

This was added in https://github.com/kubernetes/kubernetes/pull/123215

/cc @adrianreber /cc @mrunalp

adrianreber commented 1 month ago

Unfortunately I do not understand what needs to be done, sorry. If someone can point me to an example I can try to help out, but at this point I do not understand what is missing.

The code change was, if I remember it correctly, to ensure that we do not open up access to the kubelet checkpoint API endpoint for the some proxy setup. I am happy to provide a fix but I do not know where and how.

vinayakankugoyal commented 1 month ago

When the feature-gate ContainerCheckpoint is enabled the ClusterRole system:kubelet-api-admin should have verb: * on nodes/checkpoint.

kannon92 commented 3 weeks ago

/triage accepted @vinayakankugoyal would you like to try to fix it?

vinayakankugoyal commented 3 weeks ago

Sure will do.

vinayakankugoyal commented 3 weeks ago

https://github.com/kubernetes/kubernetes/pull/126724