I'm still new to Kubernetes and trying to gain some expertise. I have a Cluster On-Prem and have been trying to setup CI/CD using ArgoCD. When I deploy the application, I get the below error message. Any ideas what this could be?
deployments.apps "account-deployment" is forbidden: user "system:serviceaccount:argocd:argocd-application-controller" is not an admin and does not have permissions to use extra kernel capabilities for resource account-deployment
The argocd service account, which are permissions set to a pod over the cluster API's is lacking permissions cluster-wide, take a look at roles, cluster roles, and role bindings, which is a way to bind permissions to a user/service account
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Related
I'm a little confused about the default Service Account in new created Namespace in my Minikube.
Does it have any permissions? It seems not because I can't find any rolebinding or clusterrolebindung which references this SA
Then why is it created when it does not have a permission, or is there a use case around that?
and lastly, why are service accounts by default mount to pods?
Regards
ralph
The default service account doesn’t have enough permissions to retrieve the services running in the same namespace.
Kubernetes follows the convention of closed-to-open which means that by default no user or service account has any permissions.
To fulfill this request, we need to create a role binding associating the default service account with an appropriate role.This is similar to how we assign a viewer role to the service account that can give permission to list pods.
Pods have the default service account assigned even when you don’t ask for it. This is because every pod in the cluster needs to have one (and only one) service account assigned to it.
Refer Kubernetes namespace default service account for more information.
I am trying out the capability where 2 pods deployed to the same worker node in EKS are associated to different service accounts. Below are the steps
Each service account is associated to a different role one with access to SQS and other without access.
Used eksutil to associate OIDC provider with cluster and also created iamserviceaccount with service account in kubernetes and role with policy for accessing SQS attached (implicit annotation of service account with IAM role provided by eksctl create iamserviceaccount).
But when I try to start the pod which has service account tied to role with SQS access, I am getting access denied for SQS, however if I add SQS permissions to worker node instance role, its working fine.
Am I missing any steps and is my understanding correct?
So, there are a few things required to get IRSA to work:
There has to be an OIDC provider associated with the cluster, following the directions here.
The IAM role has to have a trust relationship with the OIDC provider, as defined in the AWS CLI example here.
The service account must be annotated with a matching eks.amazonaws.com/role-arn.
The pod must have the appropriate service account specified with a serviceAccountName in its spec, as per the API docs.
The SDK for the app needs to support the AssumeRoleWithWebIdentity API call. Weirdly, the aws-sdk-go-v2 SDK doesn't currently support it at all (the "old" aws-sdk-go does).
It's working with the node role because one of the requirements above isn't met, meaning the credential chain "falls through" to the underlying node role.
We are using a K8s cluster but we don't have cluster level permissions, so we can only create Role and ServiceAccount on our namespaces and we need install a service mesh solution (Istio or Linkerd) only in our namespaces.
Our operation team will agree to apply CRDs on the cluster for us, so that part is taken care of, but we can’t request for cluster admin permissions to set up the service mesh solutions.
We think that it should be possible to do this if we change all the ClusterRoles and ClusterRoleBindings to Roles and RoleBindings on Helm charts.
So, the question is: how can we set up a service mesh using Istio or Linkerd without having admin permission on the K8s cluster?
Linkerd cannot function without certain ClusterRoles, ClusterRoleBindings, etc. However, it does provide a two-stage install mode where one phase corresponds to "cluster admin permissions needed" (aka give this to your ops team) and the other "cluster admin permissions NOT needed" (do this part yourself).
The set of cluster admin permissions needed is scoped down to be as small as possible, and can be inspected (The linkerd install config command simply outputs it to stdout.)
See https://linkerd.io/2/tasks/install/#multi-stage-install for details.
For context, we originally tried to have a mode that required no cluster-level privileges, but it became clear we were going against the grain with how K8s operates, and we ended up abandoning that approach in favor of making the control plane cluster-wide but multi-tenant.
Kubernetes RBAC can be used to give permissions to a subject in a particular Namespace. Can the same be accomplished with Cloud IAM?
Not at the moment, no. IAM is used to assign and verify permissions when interacting with GCP APIs. IAM can only provide access to the GKE API, which does not take into account namespaces.
As you mentioned, RBAC is your option for more granular permissions within the cluster
If I got your point correctly that:
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".
But you need more fine-grained control over the kubernetes cluster.
In this case:
There's a new "Alpha" feature in Google Cloud's IAM which wasn't available previously.
Under IAM > Roles
You can now create custom IAM roles with your own subset of permissions.
You can create a minimal role which allows for example gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.
It will allow you to get more fine-grained access configurations for kubernetes cluster.
I created a kubernetes cluster under my user account on IBM Bluemix, and added another into my organization. But he can't see my cluster. Is there any other configure?
To manage cluster access, see this link from the IBM Bluemix Container Service documentation. Summarised here:
Managing cluster access
You can grant access to your cluster to other users, so that they can
access the cluster, manage the cluster, and deploy apps to the
cluster.
Every user that works with IBM Bluemix Container Service must be
assigned a service-specific user role in Identity and Access
Management that determines what actions this user can perform.
Identity and Access Management differentiates between the following
access permissions.
IBM Bluemix Container Service access policies
Access policies determine the cluster management actions that you can
perform on a cluster, such as creating or removing clusters, and
adding or removing extra worker nodes.
Cloud Foundry roles
Every user must be assigned a Cloud Foundry user role. This role
determines the actions that the user can perform on the Bluemix
account, such as inviting other users, or viewing the quota usage. To
review the permissions of each role, see Cloud Foundry roles.
RBAC roles
Every user who is assigned an IBM Bluemix Container Service access
policy is automatically assigned an RBAC role. RBAC roles determine
the actions that you can perform on Kubernetes resources inside the
cluster. RBAC roles are set up for the default namespace only. The
cluster administrator can add RBAC roles for other namespaces in the
cluster. See Using RBAC Authorization in the
Kubernetes documentation for more information.