search

tkestack / tke

Native Kubernetes container management platform supporting multi-tenant and multi-cluster
Other
1.47k stars 335 forks source link

rbac doesn't work on global cluster #1090

Closed huxiaoliang closed 3 years ago

huxiaoliang commented 3 years ago
  1. security hole: no bearer token specified in header still can query k8s resource as long as specified apiserver address
 curl -sk  -H "Content-Type:application/json"  "https://10.0.0.80:6443/api/v1/namespaces/tke/pods"    >> data returned ok
  1. even if specified service account token, but the rbac role applied to this token doesn't work for access control 
    curl -sk -H "Authorization: Bearer <sa_token>  -H "Content-Type:application/json"  "https://10.0.0.80:6443/api/v1/namespaces/tke/pods"          >> data returned ok
huxiaoliang commented 3 years ago

https://github.com/tkestack/tke/pull/1147 only address issue 1, but we still need work to do for issue 2