Kubernetes: RBAC persistent volumes is not working with namespaces
BUG REPORT
Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"5+", GitVersion:"v1.5.1-3+10e41f22e4421c", GitCommit:"10e41f22e4421c9a14e9e6782c6375c199a07a86", GitTreeState:"clean", BuildDate:"2016-12-15T10:06:44Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Environment:
- Cloud provider or hardware configuration: openstack
- OS (e.g. from /etc/os-release): centos7
- Kernel (e.g.
uname -a): 3.10.0-327.36.3.el7.x86_64
What happened: We have enabled RBAC authentication. We have two different rolebindings:
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-custom
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: User
name: kubelet
namespace: kube-system
- kind: User
name: clusteradmin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
and
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: RoleBinding
metadata:
name: default-admin
namespace: default
subjects:
- kind: ServiceAccount
name: default
- kind: User
name: defaultadmin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
So we have two different users: clusteradmin, which have access to everything in kube cluster and defaultadmin, which should have access to all resources in default namespace. Executing PV commands with clusteradmin works fine, when using defaultadmin in default namespace it gives error:
kubectl get pv
Error from server (Forbidden): the server does not allow access to the requested resource (get persistentvolumes)
Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)
What you expected to happen: defaultadmin should have access to PV resources in defined (in my case default) namespace, because cluster-admin clusterrole says following:
- apiGroups:
- '*'
attributeRestrictions: null
resources:
- '*'
verbs:
- '*'
- attributeRestrictions: null
nonResourceURLs:
- '*'
verbs:
- '*'
The important thing here is resources *, but it feels like PV is not part of wildcard.
How to reproduce it (as minimally and precisely as possible):
- enable RBAC
- create two users, clusteradmin and defaultadmin
- add clusterrolebinding and rolebinding which was mentioned earlier in this bug ticket
- execute PV commands in default namespace with both users
zetaab
All 3 comments
I'm having a similar issue, where I have a few namespaces including dev and default. As a "dev user" I can create a bunch of resources in the dev namespace, including a PVC, but creating the PV as the "dev user" in the dev namespace results in the same error as above:
Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)
I can create the PV as the admin user in the default namespace, and then everything is fine.
Amit-PivotalLabs
on 23 Jan 2017
PV's are not connected to a namespace
rsuniev
on 1 Feb 2017
PVs are cluster-scoped objects. They do not exist in a namespace. To get permission to use the PV API with RBAC you need a ClusterRole bound at the cluster scope with a ClusterRoleBinding.
liggitt
on 10 Feb 2017
Related issues
tbchj
·
3Comments
pwittrock
·
3Comments
broady
·
3Comments
ttripp
·
3Comments
arun-gupta
·
3Comments
Most helpful comment
PVs are cluster-scoped objects. They do not exist in a namespace. To get permission to use the PV API with RBAC you need a ClusterRole bound at the cluster scope with a ClusterRoleBinding.