Env: AKS,
k8s version: 1.21.2
Enabled AKS managed AAD in cluster, and I have admin permission
When I run
kubectl auth can-i get pods -n dev
it returns yes, which means I have permission
But when I try to impersonate myself or a teammate
kubectl auth can-i get pods -n dev --as myname#mydomain.com
It returns
no - Azure does not have opinion for this non AAD user.
If you are an AAD user, please set Extra:oid parameter for impersonated user in the kubeconfig
I can't see a reason why user impersonation not work
Related
I still wondering how supposed to do to change the service account user. Let say I have 2 service account (A and B), which each user has different role in different project. After done being use user B, when I want to change to service account A and access the resource, gcloud command says
Error from server (Forbidden): pods is forbidden: User "user-B#project.iam.gserviceaccount.com" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).
I'm done change my service account user with gcloud config set account [service-account], but the gcloud still read another service account. Did I missed something?
Here's a contrived example of what I think you're doing:
# gcloud is using my regular User credentials
gcloud config get account
me#gmail.com
# Access GKE as me#gmail.com
kubectl get pods --namespace=default
pod/foo-c7b7995df-vxrmh
# Authenticate as a GCP Service Account with **no** permissions
EMAIL="{ACCOUNT}#{PROJECT}.iam.gserviceaccount.com"
gcloud auth activate-service-account ${EMAIL} \
--key-file=${KEY_FILE}
# gcloud is now using the Service Account credentials
gcloud config get account
${EMAIL}
# Using new GKE auth plugin
gke-gcloud-auth-plugin \
| jq -r .status.expirationTimestamp
2022-00-00T17:10:00Z
# Need to either delete the token
# Or wait until 17:10 for it to expire
# Then...
kubectl get pods --namespace=default
Error from server (Forbidden): pods is forbidden: ...
ERROR Error from server (Forbidden): pods is forbidden: User "{ACCOUNT}#{PROJECT}.iam.gserviceaccount.com" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).
One solution is to grant the GCP (!) Service Account one of the Kubernetes Engine roles that has permission to list Pods, i.e. container.pods.* which is part of roles/container.developer:
# Grant the Service Account Kubernetes Engine role
ROLE="roles/container.developer"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=${ROLE}
# Try again
kubectl get pods --namespace=default --output=name
pod/foo-c7b7995df-vxrmh
I have an aks cluster running kubernetes 1.21.2 with those options :
Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts --> disabled
When I run the az aks get-credentials --resource-group <resource-group> --name <cluster-name> --admin it fails as expected. So far it's looking good.
I still want someone to be admin, so I give a user following privileges :
Azure Kubernetes Service Cluster User Role
Azure Kubernetes Service RBAC Cluster Admin
I followed the following steps to try out my user is a cluster admin :
az login and input my user's credentials to login
az aks get-credentials --resource-group <resource-group> --name <cluster-name> to download the clusterUser_kubeconfig
kubectl get pods -A to list pods in all namespaces
it prompts me something like To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DKXXXXX8T to authenticate.
I login using my user's credential again and allow the k8s application to connect to my user.
kubectl get pods -A fails :
Error from server (Forbidden): pods is forbidden: User "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" cannot list resource "pods" in API group "" at the cluster scope
According to what I have read so far, it should be working as my user is Azure Kubernetes Service RBAC Cluster Admin. Could someone enlighten me what I've missed or misunderstood ?
I changed something and deployed on a new cluster then I got this error even though I didn't change anything in the code. Has anybody seen it before?
from server for:
"/builds/dropcunt/nettmoster.com/deployment/webapp.yml": ingresses.extensions "nettmoster.comn-273414" is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot get resource "ingresses" in API group "extensions" in the namespace "nettmoster-com-9777808"
59 Error from server (Forbidden): error when retrieving current configuration of:
As suggested I runkubectl auth can-i --list --as=system:serviceaccount:gitlab-managed-apps:default
It returns:
This is a RBAC problem. The service account system:serviceaccount:gitlab-managed-apps:default does not have permission to get ingress resource in the new cluster.
You can compare what permission a service account have by running below command in both the cluster
kubectl auth can-i --list --as=system:serviceaccount:gitlab-managed-apps:default
Run below commands to get permission via RBAC
kubectl create role ingress-reader --verb=get,list,watch,update --resource=ingress
kubectl create rolebinding ingress-reader-role --role=ingress-reader --serviceaccount=gitlab-managed-apps:default
I am getting an error message after running some kubectl commands (GCP command line - gcloud). I have a K8S cluster created in GKE.
Example:
kubectl describe node
gke_k8s_cluster_name
Error from server (Forbidden): leases.coordination.k8s.io "gke_k8s_cluster_name" is forbidden: User "MY_SERVICE_ACCOUNT" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "kube-node-lease": Required "container.leases.get" permission.
The point is that "container.leases.get" permission is not listed in IAM (as custom permissions or regular role).
How could I grant that permission to the service account in GCP ?
thanks,
Jose
You may need to grant additional permissions to yourself on GCP IAM and GKE sides, for example:
PROJECT_ID=$(gcloud config get-value core/project)
USER_ID=$(gcloud config get-value core/account)
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${USER_ID} --role=roles/container.admin
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user ${USER_ID}
See also GCP IAM & GKE RBAC integration.
I am trying to access my Kubernetes cluster on google cloud with the service account, but I am not able to make this works. I have a running system with some pods and ingress. I want to be able to update images of deployments.
I would like to use something like this (remotely):
kubectl config set-cluster cluster --server="<IP>" --insecure-skip-tls-verify=true
kubectl config set-credentials foo --token="<TOKEN>"
kubectl config set-context my-context --cluster=cluster --user=foo --namespace=default
kubectl config use-context cluster
kubectl set image deployment/my-deployment boo=eu.gcr.io/project-123456/image:v1
So I created the service account and then get the secret token:
kubectl create serviceaccount foo
kubectl get secret foo-token-gqvgn -o yaml
But, when I try to update the image in any deployment, I receive:
error: You must be logged in to the server (Unauthorized)
IP address for API I use the address, which is shown in GKE administration as cluster endpoint IP.
Any suggestions? Thanks.
I have tried to recreate your problem.
Steps I have followed
kubectl create serviceaccount foo
kubectl get secret foo-token-* -o yaml
Then, I have tried to do what you have done
What I have used as token is base64 decoded Token.
Then I tried this:
$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:foo" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:default:foo"
This gave me error as expected. Because, I need to grant permission to this ServiceAccount.
How can I grant permission to this ServiceAccount? I need to create ClusterRole & ClusterRoleBinding with necessary permission.
Read more to learn more role-based-access-control
I can do another thing
$ kubectl config set-credentials foo --username="admin" --password="$PASSWORD"
This will grant you admin authorization.
You need to provide cluster credential.
Username: admin
Password: -----
You will get this info in GKE -> Kubernetes Engine -> {cluster} -> Show credential