user1 and user2 have been assigned "admin" role in K8s cluster where they can only work within the namepsace they are assigned. In the case below, ns1 and ns2 respectively
user1 --> assigned namespace ns1
user2 --> assigned namespace ns2
user3 --> assigned namespace ns3 and also have namespace-admin role assigned.
namespace-admin role (user3) should be able to create any resource in namespace ns3 and any new namespaces he creates in the cluster. This role should have ability to dynamically create new namespaces. But user3 should NOT have access to ns1 or ns2 namespaces which is not created by user "user3".
user3 will be dynamically creating new namespaces and deploying workloads in those namespaces.
Can this be addressed ? This is similar to Openshift "Projects" concept.
Yes, you can restrict user3 to create/delete resources only in the namespace ns3 using a Role bind that role to user3.
Then you can use ClusterRole with only access to the namespaces resource and allow it to create, delete, etc
Something like this:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: user-namespace-role
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "pods"] # etc...
verbs: ["get", "list", "create"] # etc
Then:
kubectl create rolebinding user-namespace-binding --role=user-namespace-role --user=user3 --namespace=my-namespace
Then:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-role-all-namespaces
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # etc
Then:
kubectl create clusterrolebinding all-namespaces-binding --clusterrole=cluster-role-all-namespaces --user=user3
For user1 and user2 you can create a Role and RoleBinding for their unique namespaces.
user3 should be able to create any resource in namespace ns3 and any new namespaces he creates in the cluster.
To achieve dynamic permissions, you'd need a component granting user 3 permissions in the namespaces they create (which is what the openshift projects API handler does)
I see that the post is 4 years old, but if someone stumbles on this thread, "Hierarchical Namespaces" is something that could work in this scenario. In this case you assign user3 the needed permissions to ns3 and user3 can then create "subnamespaces" from ns3, where all of the objects (the RoleBinding, etc.) will be inherited.
Related
Is there a way to disable impersonation in Kubernetes for all admin/non Admin users?
kubectl get pod --as user1
The above command should not provide answer due to security concerns.
Thank you in advance.
Unless all your users are already admins they should not be able to impersonate users. As cluster-admin you can do "anything" and pre-installed roles/rb should not be edited under normal circumstances.
The necessary Role to enable impersonation is:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: impersonator
rules:
- apiGroups: [""]
resources: ["users", "groups", "serviceaccounts"]
verbs: ["impersonate"]
As long as normal users don't have those permissions, they should not be allowed to perform --as.
I'm getting this error in wildcard certificate challenge:
Error presenting challenge: Found no Zones for domain _acme-challenge.my-domain.com. (neither in the sub-domain noir in the SLD) please make sure your domain-entries in the config are correct and the API is correctly setup with Zone.read rights.
I'm using Cloudflare as the DNS01 Challenge Provider and have set up the API token with the permissions described in the cert-manager documentation.
My cluster issuer looks like this:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: test-issuer
spec:
acme:
email: <email>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: test-issuer-private-key
solvers:
- dns01:
cloudflare:
email: <email>
apiTokenSecretRef:
name: issuer-access-token
key: api-token
And my certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-wildcard
spec:
secretName: test-wildcard-tls
issuerRef:
name: test-issuer
kind: ClusterIssuer
dnsNames:
- "*.my-domain.com"
I have CNAME record with ‘*’ name that points to my domain and an A record that points to my Kubernetes cluster IP.
Am I missing something? How do you correctly set up cert-manager to automatically manage wildcard domain with Cloudflare as DNS01 Challenge Provider?
I've run into this issue as well, and I realized that I made two different errors in my configuration.
#1: I had overlooked that the API Token that you generate must have all of the following permissions and zone resources associated to it:
Permissions
Zone.Zone.Read
Zone.Zone.Edit
Zone Resources
Include.All zones
This is in the docs but clearly I wasn't reading correctly.
#2: I wasn't able to make it work with the dnsNames attribute in the Certificate resource, but rather needed to use dnsZones instead. In your example, try changing from:
dnsNames:
- "*.my-domain.com"
to:
dnsZones:
- "my-domain.com"
According to this docs (emphasis mine):
Note: dnsNames take an exact match and do not resolve wildcards, meaning the following Issuer will not solve for DNS names such as foo.example.com. Use the dnsZones selector type to match all subdomains within a zone.
This should generate a certificate with a CN of *.my-domain.com and with both *.my-domain.com and my-domain.com in the subjectAltName field.
In IBM Cloud, I have an IAM Access Group for security admins. What policy do I need to grant to have their members READ access to user-specific authorizations, i.e., access policies granted to a user, not an Access Group?
The account owner can see those authorizations by, e.g., the List Policies API. The security admin, when calling that API, either receives an empty list or only a partial list. The Access Group for security admins already has Administrator privilege for IAM Identity Service and IAM Access Group Service.
If the policies are based on a resource group you might need Viewer access to the resource group. In terraform it would be something like this:
resource "ibm_iam_access_group_policy" "shared_policy" {
access_group_id = ibm_iam_access_group.shared.id
roles = ["Viewer"]
resources {
resource_type = "resource-group"
resource = ibm_resource_group.shared.id
}
}
New resource groups could be added in the future...
To see access policies, the security administrators and hence their related Access Group need *Viewer* privilege on all resources and services that are directly "authorized" to users or service IDs. It is not enough to have Viewer or even Administrator role on IAM Access Groups Service, Viewer on all Account Management as well as on all IAM-enabled services is required.
The following would give Viewer on Account Management services when using Terraform:
resource "ibm_iam_access_group_policy" "cloud-security-admins-account_viewer" {
access_group_id = ibm_iam_access_group.cloud-security-admins.id
account_management = true
roles = [ "Viewer" ]
}
And the next Terraform snippet could be used to give Viewer on all IAM-enabled services:
resource "ibm_iam_access_group_policy" "cloud-security-admins-viewall-resources" {
access_group_id = ibm_iam_access_group.cloud-security-admins.id
roles = [ "Viewer" ]
resources {
resource_type = "resource-group"
}
}
Is there an oc command (or other method) to list all service accounts that have been granted the privileged scc?
If I suspect oc adm policy add-scc-to-user privileged -z SA_NAME has been run against a number of service accounts, how can I check? I know the call to undo this using oc adm policy remove-scc-from-user ..., but haven't found a command to list which accounts have been given an scc.
Seems I eventually stumbled on the answer to my own question.
Inspecting an scc shows the list of users that have the scc.
oc edit scc privileged
...
kind: SecurityContextConstraints
metadata:
...
name: privileged
...
users:
- system:admin
- system:serviceaccount: SA_NAME1
- system:serviceaccount: SA_NAME2
- ...
What happens when adding privileged to an account (user or sa), it appears the opposite is really what happens, the user/sa is added to the scc.
I do log in the user very well. It is working fine in symfony2. During registration in the DB the role and a state_id are going to be saved.
role: ROLE_USER
state_id: 4 //e.g. has only permissions to do some extra actions
Is there a way in symfony2 in the security.yml that I give permissions to targets with role and state_id?
Better use different roles for this, not a state id. For example: ROLE_USER, ROLE_USER_4, etc.