-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC is broken #1734
Comments
The kube-dns addon we package isn't configured to use RBAC. If you want to use RBAC, you need to supply your own addons, (that means turning off the addons with |
We are tracking enabling RBAC or bundling RBAC-enabled addons in #1722 |
You could also just give the kube-system service account admin permissions, then everything should work. |
Thank you @chancez for giving direction. For anyone that doesn't want to google it anymore, sample configuration below. after applying these rules minikube works again with RBAC: # Wide open access to the cluster (mostly for kubelet)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-writer
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
# Full read access to the api and resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-reader
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
# Give admin, kubelet, kube-system, kube-proxy god access
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-write
subjects:
- kind: User
name: admin
- kind: User
name: kubelet
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: User
name: kube-proxy
roleRef:
kind: ClusterRole
name: cluster-writer
apiGroup: rbac.authorization.k8s.io
---
# Setup sd-build as a reader. This has to be a
# ClusterRoleBinding to get access to non-resource URLs
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-read
subjects:
- kind: ServiceAccount
name: sd-build
namespace: default
roleRef:
kind: ClusterRole
name: cluster-reader
apiGroup: rbac.authorization.k8s.io
---
# Setup sd-build as a writer in its namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: sd-build-write
subjects:
- kind: ServiceAccount
name: sd-build
namespace: default
roleRef:
kind: ClusterRole
name: cluster-writer
apiGroup: rbac.authorization.k8s.io |
Note that upstream kube-dns now configure the controller to use a separate service account: Perhaps Minikube should do the same. |
Allow kube-dns and other kube-system services full access to the API. See: * kubernetes/minikube#1734 * kubernetes/minikube#1722
Automatic merge from submit-queue. Fix kube-dns RBAC issues Allow kube-dns and other kube-system services full access to the API. See: * kubernetes/minikube#1734 * kubernetes/minikube#1722 Fixes: #107 **Release note**: ```release-note NONE ```
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT
Minikube version (use
minikube version
): v0.20.0Environment:
What happened:
Enabled RBAC via
--extra-config=apiserver.Authorization.Mode=RBAC
.kubedns fails:
What you expected to happen:
It works and everything spins up successfully.
How to reproduce it (as minimally and precisely as possible):
Run minikube with RBAC and k8s version 1.7.0
The text was updated successfully, but these errors were encountered: