Kubernetes using multiple api group in same rule. YAML - kubernetes

I have a kind: Role with the following rule
rules:
- apiGroups: [""]
resources: ["namespaces", "configmaps", "secrets", "pods", "replicationcontrollers", "services", "serviceaccounts"]
verbs: ["get", "watch", "list"]
This works fine just by itself, nothing wrong at all.
Now I also have another rule
rules:
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets"]
verbs: ["get", "watch", "list"]
Perfectly fine also
My issue is if I try to merge them together like:
rules:
- apiGroups: [""]
resources: ["namespaces", "configmaps", "secrets", "pods", "replicationcontrollers", "services", "serviceaccounts"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets"]
verbs: ["get", "watch", "list"]
I get an error saying Error: INSTALLATION FAILED: YAML parse error on myproject/templates/rbac.yaml: error converting YAML to JSON: yaml: line 27: did not find expected key.
Am I missing a syntax error or how can you use multiple apiGroups under the same rules?
I know that I could do - apiGroups: ["", "apps"] but then Openshift with its infinite wisdom thinks there are namespaces under apps etc and gives a role error for the non cluster-admin user trying to get access to namespaces.apps etc.

Well if anyone is having similar issues I had an extra space character after the verbs: ["get", "watch", "list"]-> <- there .....

Related

setting up build pod: Timed out while waiting for ServiceAccount/<service_account_name> to be present in the cluster

I am using helm charts to deploy Gitlab Runner into Kubernetes cluster. I want that the created pods when runner is triggered to have a costume services account instead of the default one. I did create role and cluster role and did the role bindings.
However, I am getting the following error when running a CI job
From Gitlab CI
Running with gitlab-runner 15.0.0 (cetx4b)
on initial-runner -P-d1RhT
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: namespace_test
Using Kubernetes executor with image registry.gitlab.com/docker-images/ubuntu-base:latest ...
Using attach strategy to execute scripts...
Preparing environment
00:05
ERROR: Job failed (system failure): prepare environment: setting up build pod: Timed out while waiting for ServiceAccount/gitlab-runner to be present in the cluster. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
list roles and services accounts
# get rolebindings & clusterrolebindings
kubectl get rolebindings,clusterrolebindings -n namespace_test | grep gitlab-runner
# output
# rolebinding.rbac.authorization.k8s.io/gitlab-runner Role/gitlab-runner
# clusterrolebinding.rbac.authorization.k8s.io/gitlab-runner ClusterRole/gitlab-runner
---
# get serviceaccounts
kubectl get serviceaccounts -n namespace_test
# output
# NAME SECRETS AGE
# default 1 6h50m
# gitlab-runner 1 24m
# kubernetes-dashboard 1 6h50m
# mysql 2 6h49m
helm values
runners:
concurrent: 8
name: initial-runner
config: |
[[runners]]
[runners.kubernetes]
namespace = "namespace_test"
image = "registry.gitlab.com/docker-images/ubuntu-base:latest"
service_account = "gitlab-runner"
tags: base
rbac:
create: false
serviceAccountName: gitlab-runner
any ideas on how to solve this issue?
In my case, I forgot to give the "gitlab-runner" cluster role the right permissions on "serviceaccounts" resource.
Ensure the role that is attached to your Gitlab runner has the following specification:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitlab-runner
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["list", "get", "create", "delete", "update"]

Want to restrict namespace users accessing TLS secrets in RBAC Enabled AKS Cluster

I want to restrict users under RBAC AKS/kubernetes cluster namespace to fetch only secrets but not TLS secrets. I have my cluster role with the following api permissions. But it does not work iam unable to restrict users from fetching only secrets and not TLS secrets.
Code:
---
#ClusterRole-NamespaceAdmin-RoleGranter
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: clusterrole-ns-admin
rules:
# "Pods" rules
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Nodes" rules - Node rules are effective only on cluster-role-binding
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create","update", "delete"]
# "TLS Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes.io/tls"]
verbs: ["get", "watch", "list"]
Thanks in advance!
Short answer is it's not possible. There is only kind Secret resource in Kubernetes and you can apply RBAC on a kind. There is no separate kind for TLS secret.

What apiGroups and resources exist for RBAC rules in kubernetes?

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: xi-{{instanceId}}
name: deployment-creation
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
In the above example, I permit various operations on pods and jobs.
For pods, the apiGroup is blank. For jobs, the apiGroup may be batch or extensions.
Where can I find all the possible resources, and which apiGroup I should use with each resource?
kubectl api-resources will list all the supported resource types and api-group. Here is the table of resource-types
just to add to #suresh's answer, here is a list of apiGroups

latest Kubernetes version throws RBAC error

I have a scaler service that was working fine, until my recent kubernetes version upgrade. Now I keep getting the following error. (some info redacted)
Error from server (Forbidden): deployments.extensions "redacted" is forbidden: User "system:serviceaccount:namesspace:saname" cannot get resource "deployments/scale" in API group "extensions" in the namespace "namespace"
I have below cluster role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: redacted
chart: redacted
heritage: Tiller
release: redacted
name: redacted
rules:
- apiGroups:
- '*'
resources: ["configmaps", "endpoints", "services", "pods", "secrets", "namespaces", "serviceaccounts", "ingresses", "daemonsets", "statefulsets", "persistentvolumeclaims", "replicationcontrollers", "deployments", "replicasets"]
verbs: ["get", "list", "watch", "edit", "delete", "update", "scale", "patch", "create"]
- apiGroups:
- '*'
resources: ["nodes"]
verbs: ["list", "get", "watch"]
scale is a subresource, not a verb. Include "deployments/scale" in the resources list.

How can I control access to storageclasses in Kubernetes?

Is it possible to restrict the ability of particular users to dynamically provision disks from storageclasses? Or, for example, only allowing particular namespaces to be able to use a storageclass?
Fair warning: I haven't tested this!
StorageClass is just an API endpoint, and RBAC works by restricting access to those endpoints, so in theory this should work just fine:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sc_access
rules:
- apiGroups: ["storage.k8s.io", "core" ]
resources: [ "storageclass" ]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
If that doesn't work, you might be able to restrict access directly via the NonResourceUrls option:
rules:
- nonResourceURLs: ["/storage.k8s.io/v1/storageclasses"]
verbs: ["get", "post"]
Storage resource quota can be used to restrict usage of storage classes