Comments (20)
Hi @herbrandson thanks for this is promising project! Can you say if what is discussed in this issue is released? I'd like to use this UI but in read-only mode or maybe with r:pod v:delete option and I'm not sure if that is even possible now before I start tests.
from skooner.
@herbrandson I'm testing the herbrandson/k8dash:dev
release with this role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- create
# - delete
# - deletecollection
- get
- list
# - patch
- proxy
- redirect
# - replace
# - update
- watch
- nonResourceURLs:
- "*"
verbs:
- "*"
As you said, everything is working fine :-)
Next month (I'm pretty busy right now) I'll begin to test "restricted" users (reader over one namespace and admin over other namespace for example).
I'll keep you posted. Thanks for your amazing work !!!
from skooner.
@jobace78 Thanks for reporting this! I suspect you're right about the issue being the login check. Could you try logging in again using the failing use case and check the networking tab in the developer tools to verify which api call is failing? If you're correct and we can verify that it's the selfsubjectaccessreviews
call, I think this should be fairly easy to fix.
from skooner.
@herbrandson Yes, it's the selfsubjectaccessreviews
(/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
). It's returning a 201 code. Thanks !!!
from skooner.
Just to be clear, did you mean it's returning a 201
or a 401
?
from skooner.
Sure, 201
(Created)
from skooner.
Interesting. 201 should indicate a success. Any chance you could post the response body? Also, are there any other api calls that are failing? I was kinda expecting to see something with a 403
from skooner.
Hi,
This is the header response:
HTTP/2.0 201 Created
server: nginx/1.15.10
date: Thu, 02 May 2019 07:44:41 GMT
content-type: application/json
content-length: 231
strict-transport-security: max-age=15724800; includeSubDomains
X-Firefox-Spdy: h2
This is the response:
{
"kind": "SelfSubjectAccessReview",
"apiVersion": "authorization.k8s.io/v1",
"metadata": {
"creationTimestamp": null
},
"spec": {
"resourceAttributes": {
}
},
"status": {
"allowed": false
}
}
No, this is the only api call I'm able to see.
Thanks
from skooner.
Thanks so much for the additional @jobace78. That's really helpful. I have a suspicion about what's going on now. The /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
api call is a POST
and the cluster role you have doesn't allow POST
calls. Would it be possible to temporarily modify that role to allow POST's to that one endpoint? I'd like to verify that resolves the issue. If so, I think I can address that issue fairly easily.
To be totally honest, I haven't really tested w/ a read-only account. I really hope this change gets things working for you. I've added a TODO to my list to do some testing w/ a variety of permission combinations. In the mean time, please let me know about any other issues you run into and I'll do my best to resolve them ASAP.
Thanks again for the help in chasing this one down!
from skooner.
FYI
I tested it as well but only cluster-admin role can access POST selfsubjectaccessreviews.
My cluster is installed with kubeadm. There are 4 clusterroles, cluster-admin, admin, edit, view by default.
cluster-admin has '*' for all.
Even admin is not allowed to post selfsubjectaccessreviews.
This is what clusterrole admin is.
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
from skooner.
Interesting. So I only see this section in that role for authorization.k8s.io
...
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
So I guess it makes sense that admin
would also fail. I suspect that adding - selfsubjectaccessreviews
under resources
would get it working for the time being.
I think I have an idea about how to resolve this so that messing w/ roles wouldn't be required. However, it's going to be at least the weekend before I can get to it (...got family in town this week).
from skooner.
Hi,
I've tried allowing all verbs into nonResourceURLs
with no sucess :-(
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- proxy
- redirect
- watch
- nonResourceURLs:
- "*"
verbs:
- "*"
from skooner.
FYI
I've tried with this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- create
# - delete
# - deletecollection
- get
- list
# - patch
- proxy
- redirect
# - replace
# - update
- watch
- apiGroups:
- authorization.k8s.io
resources:
- "*"
verbs:
- "*"
- nonResourceURLs:
- "*"
verbs:
# - get
# - post
- "*"
Unfortunately same error :-(
Also, there is no hurry, so even next week will be more than ok :-)
Thanks
from skooner.
Great. Thanks for the additional info and for your patience. I'll let you know when I've made some progress.
from skooner.
Hey @jobace78. Just wanted to give you a quick status update. I've been making some good progress. I found last evening the this role works...
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-temp
labels:
kubernetes.io/bootstrapping: rbac-defaults
annotations:
rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
-
verbs:
- '*'
apiGroups:
- ""
resources:
- '*'
...but this one doesn't...
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-temp
labels:
kubernetes.io/bootstrapping: rbac-defaults
annotations:
rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
resources:
- bindings
- configmaps
- endpoints
- events
- limitranges
- namespaces
- namespaces/status
- persistentvolumeclaims
- pods
- pods/attach
- pods/exec
- pods/log
- pods/portforward
- pods/proxy
- pods/status
- replicationcontrollers
- replicationcontrollers/scale
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- secrets
- serviceaccounts
- services
- services/proxy
This doesn't completely make sense to me though because neither of these include the authorization.k8s.io
api group. I'm going to try to get some help on the "#kubernetes-security" slack channel to figure out what permission might be needed for this to work.
Thanks again for your patience.
from skooner.
Hi @herbrandson, let me know if you need I test something else or whatever.
Thanks to you :-)
from skooner.
Thanks so much for offering @jobace78. It's people like you that make working on open source awesome :)
I should have something ready for an initial test by EOD. I'll keep you posted.
from skooner.
@jobace78 I've pushed an update that I'm hoping you can test out for me. It's available at under the "dev" label at herbrandson/k8dash:dev
. This is only a first step, but it should at least resolve a couple of the core issues here.
The Good:
- The roles "cluster-admin", "admin" and "edit" should all work as expected
- The read-only role should be able to login and successfully view everything
The Bad:
- The read-only role will still be able to see and "click" the edit buttons through-out the app (but an error will be displayed if any actual updates are attempted)
- Any role that doesn't support at least "list" permissions on the "namespace" resource will not work
- The UI does not yet "hide" menu items that the current user does not have permissions to view
- When attempting to view a resource the current user does not have permissions to view, the UI will currently appear stuck in a "loading" state
- No work has been put into accounts that only have permissions to a single namespace yet
Anyhow, more progress to come soon. But, I think this at least gets the main issue you are experiencing into a workable state. Let me know how it goes.
from skooner.
Hello 👋 !
Any update on the topic?
from skooner.
We really need a update in this topic 😢
from skooner.
Related Issues (20)
- Up and running with oidc via Dex - metrics URLs return 403s HOT 2
- Bug: RAM Request/Limits calculation is incorrect. HOT 1
- Auth Token HOT 7
- OIDC api is failing . Due to internal error
- How to troubleshoot OIDC issues? HOT 2
- Skooner not displaying Deployments HOT 1
- Running skooner with subpath HOT 1
- Does Skooner support OIDC PKCE Auth HOT 3
- Pods: Ready vs Requested should exclude pods in Succeeded state HOT 1
- kubernetes-skooner.yaml does not declare any CPU/RAM request HOT 1
- Can Skooner base path be changed from / ? HOT 2
- Skooner erroring all of a sudden HOT 4
- Add arm64 support HOT 1
- OIDC Login with AzureAD POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401 HOT 4
- Open ID Manifests with `authorization_response_iss_parameter_supported=true` 500's on authorization flows with `iss missing from the response` HOT 8
- Issue with Keycloak and Skooner - fail to login within keycloack 401 HOT 1
- Add ability to perform custom branding
- Upgrade from node 16
- Skooner and Glasskube integration
- Claim keycloak groups
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skooner.