1

RBAC is enabled (checked with kubectl api-versions, and got rbac records in the output). So as I assume, the normal users that are not bound with any Roles and ClusterRoles should have the most limited access to the cluster. I create the certificates and add these new users with signed certificates to kubernetes as in the tutorial (https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user).

But my new users have full access to the cluster, they can list, update etc. all the resources (also double checked manually, and run the command kubectl auth can-i '' '' and it returned yes).

I have seen the similar post (New Kubernetes service account appears to have cluster admin permissions), but it was about serviceaccounts and eventually their problem was that they had some ClusterRoleBinding that bound some overly permissive role to all their new users. But in our case I couldn't find such a binding.

I checked whether they are added to some kind of a service group or are assigned cluster-admin role, but it doesn't seem to be the reason, because I cannot even see cluster-admin role when listing all the cluster roles with kubectl get clusterroles. Please, let me know if anything like this has ever happened to you or if you have any ideas what else I should check/configure to have all the new users with the least possible permissions, to be able to just add some granular roles to them.

UPDATE (output of the commands):

1)openssl req -in mike.csr -text | grep -i subject Output:

Subject: CN = mike, O = trial
Subject Public Key Info:

2)kubectl get clusterrolebindings -o wide | grep mike\|trial (also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string)) Output: empty

3)kubectl get rolebindings -o wide | grep mike\|trial (also used such options for grep: grep mike, grep mike\trial, grep trial, grep '<mike|trial>' - all resulted in empty string) Output: empty

4)kubectl whoami Output: mike

5)kubectl auth can-i '*' '*' Output: yes

6)kubectl auth can-i create pods Output: yes

Coding_Cat
  • 21
  • 2
  • to start with lets double check the csr you have created for username & group 1) openssl req -in -text | grep -i subject 2) kubectl get clusterrolebindings -o wide | grep 3) kubectl get rolebindings -o wide | grep – confused genius Mar 31 '22 at 17:20
  • Please update above commands output in the question & also commands output of kubectl auth can-i to have better under understanding – confused genius Mar 31 '22 at 17:21
  • @confusedgenius Hello, thank you very much for help! I have updated the question with the results of the commands and added a couple of other commands like whoami and auth can-i create pod, just to make sure that my 'mike' user does have more permissions than he should. Thank you very much! – Coding_Cat Mar 31 '22 at 22:40
  • Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud provider? It is important to reproduce your problem. – Mikołaj Głodziak Apr 04 '22 at 12:54

0 Answers0