RBAC rules for heapster via proxy
1,379 views
Skip to first unread message
Chris Jones
May 19, 2017, 12:27:51 PM5/19/17
to Kubernetes developer/contributor discussion
Hi All,
What access do I need to grant my users so that they can run "kubectl top pod"? When a user runs that command, I see this in the logs:
GET /api/v1/proxy/namespaces/kube-system/services/http:heapster:/apis/metrics/v1alpha1/namespaces/my-namespace/pods?labelSelector=: (1.193183ms) 403
I wasn't able to find any examples of configuring access for this sort of thing.
Chris
What access do I need to grant my users so that they can run "kubectl top pod"? When a user runs that command, I see this in the logs:
GET /api/v1/proxy/namespaces/kube-system/services/http:heapster:/apis/metrics/v1alpha1/namespaces/my-namespace/pods?labelSelector=: (1.193183ms) 403
I wasn't able to find any examples of configuring access for this sort of thing.
Chris
Eric Chiang
May 19, 2017, 1:11:14 PM5/19/17
to Chris Jones, Kubernetes developer/contributor discussion
Chris,
The following RBAC role/binding should grant access (have not test
this). Importantly you need to grant access to the "proxy"
subresource.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: service-proxier
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: proxy-services
namespace: kube-system
subjects:
- kind: User
name: ( USERNAME )
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service-proxier
apiGroup: rbac.authorization.k8s.io
The default cluster role "edit" also encompasses this power.
It seems like we expand the subresources RBAC docs. "status" is pretty
intuitive, but proxy, logs, etc probably need to be mentioned and
ctrl-f'able.
Eric
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-de...@googlegroups.com.
> To post to this group, send email to kuberne...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kubernetes-dev/607a022f-859f-4f8e-a38e-b0455ad9c3f0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
The following RBAC role/binding should grant access (have not test
this). Importantly you need to grant access to the "proxy"
subresource.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: service-proxier
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: proxy-services
namespace: kube-system
subjects:
- kind: User
name: ( USERNAME )
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service-proxier
apiGroup: rbac.authorization.k8s.io
The default cluster role "edit" also encompasses this power.
It seems like we expand the subresources RBAC docs. "status" is pretty
intuitive, but proxy, logs, etc probably need to be mentioned and
ctrl-f'able.
Eric
> You received this message because you are subscribed to the Google Groups
> "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-de...@googlegroups.com.
> To post to this group, send email to kuberne...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kubernetes-dev/607a022f-859f-4f8e-a38e-b0455ad9c3f0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Clayton Coleman
May 19, 2017, 1:24:53 PM5/19/17
to Eric Chiang, Chris Jones, Kubernetes developer/contributor discussion
Please also note that /proxy is incredibly powerful - it allows you
to do many things to the underlying node, up to accessing all
container data and potentially host logs
> To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAA8S17GP9B3ejYmMPYvRnWjy1Tq9qJAXDQiqthhcjuXRE7wKbg%40mail.gmail.com.
to do many things to the underlying node, up to accessing all
container data and potentially host logs
Daniel Smith
May 19, 2017, 1:28:55 PM5/19/17
to Clayton Coleman, Eric Chiang, Chris Jones, Kubernetes developer/contributor discussion
Came here to say what Clayton said--proxy to all services in kube-system is probably root on the cluster.
>> email to kubernetes-dev+unsubscribe@googlegroups.com.
>> To post to this group, send email to kubernetes-dev@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/kubernetes-dev/607a022f-859f-4f8e-a38e-b0455ad9c3f0%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
> To post to this group, send email to kubernetes-dev@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAA8S17GP9B3ejYmMPYvRnWjy1Tq9qJAXDQiqthhcjuXRE7wKbg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/-8256276560176115382%40unknownmsgid.To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
Chris Jones
May 19, 2017, 1:29:00 PM5/19/17
to Eric Chiang, Kubernetes developer/contributor discussion
Thanks for the reply, Eric.
So this allows the user to proxy any service in any namespace? It
seems overly broad; could I use resourceNames to allow access to
only certain services? If so, what would that look like? Ideally
I'd like to allow the user to proxy only for heapster, and only
for containers in a particular namespace.
Chris
Jordan Liggitt
May 19, 2017, 1:38:36 PM5/19/17
to Daniel Smith, Clayton Coleman, Eric Chiang, Chris Jones, Kubernetes developer/contributor discussion
In 1.6, `kubectl top` switched to use the proxy subresource so you can create a role that just allows services/proxy on just the heapster service in the kube-system namespace
Previous versions used the top level proxy verb, which is difficult to grant subdivided access to.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-de...@googlegroups.com.
To post to this group, send email to kuberne...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAB_J3bYsVk5HSdJx_A%3DKx8iWdapc2NnsUnsv6n9QorhvRKi2Nw%40mail.gmail.com.
Eric Chiang
May 19, 2017, 1:40:32 PM5/19/17
to Chris Jones, Kubernetes developer/contributor discussion
Yeah, you should be able something like
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: service-proxier
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster"]
verbs: ["get"]
I've opened https://github.com/kubernetes/kubernetes.github.io/issues/3850
to follow up on the RBAC docs.
Eric
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: service-proxier
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["get"]
I've opened https://github.com/kubernetes/kubernetes.github.io/issues/3850
to follow up on the RBAC docs.
Eric
Chris Jones
May 19, 2017, 1:42:28 PM5/19/17
to Eric Chiang, Kubernetes developer/contributor discussion
Nice. That's still going to allow the user to gather heapster statistics for every pod in the cluster; but at least it won't allow access to every service in every namespace. Thanks for the detailed reply.
Chris
Chris Jones
May 19, 2017, 1:46:04 PM5/19/17
to Jordan Liggitt, Daniel Smith, Clayton Coleman, Eric Chiang, Kubernetes developer/contributor discussion
...so building on what Eric suggested, I would create a Role, not a ClusterRole, in the kube-system namespace?
kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: service-proxier namespace: kube-system rules: - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster"] verbs: ["get"]
Eric Chiang
May 19, 2017, 1:52:44 PM5/19/17
to Chris Jones, Jordan Liggitt, Daniel Smith, Clayton Coleman, Kubernetes developer/contributor discussion
Bindings determine the context of a role, not the role itself.
By referring to a ClusterRole with a RoleBinding you're saying "grant
this ClusterRole in this namespace." So you can use a ClusterRole or a
Role, and get the same results. The only difference is a Role can't be
referenced from a different namespace, which it seems like you
wouldn't want to do with this one, so yes, a Role might be more
appropriate.
By referring to a ClusterRole with a RoleBinding you're saying "grant
this ClusterRole in this namespace." So you can use a ClusterRole or a
Role, and get the same results. The only difference is a Role can't be
referenced from a different namespace, which it seems like you
wouldn't want to do with this one, so yes, a Role might be more
appropriate.
>> >> email to kubernetes-de...@googlegroups.com.
>> >> To post to this group, send email to kuberne...@googlegroups.com.
>> >> To view this discussion on the web visit
>> >>
>> >> To post to this group, send email to kuberne...@googlegroups.com.
>> >> To view this discussion on the web visit
>> >>
>> >> https://groups.google.com/d/msgid/kubernetes-dev/607a022f-859f-4f8e-a38e-b0455ad9c3f0%40googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "Kubernetes developer/contributor discussion" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "Kubernetes developer/contributor discussion" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to kubernetes-de...@googlegroups.com.
>> > To post to this group, send email to kuberne...@googlegroups.com.
>> > To view this discussion on the web visit
>> > To post to this group, send email to kuberne...@googlegroups.com.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msgid/kubernetes-dev/CAA8S17GP9B3ejYmMPYvRnWjy1Tq9qJAXDQiqthhcjuXRE7wKbg%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Kubernetes developer/contributor discussion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Kubernetes developer/contributor discussion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
Piotr Szczesniak
May 22, 2017, 3:27:10 AM5/22/17
to Eric Chiang, Chris Jones, Jordan Liggitt, Daniel Smith, Clayton Coleman, Kubernetes developer/contributor discussion
Also there is an effort to introduce metrics server features#271 which will make metrics available via kube-aggregator and resolve this issue.
Thanks,
Piotr
Piotr
>> >> email to kubernetes-dev+unsubscribe@googlegroups.com.
>> >> To post to this group, send email to kubernetes-dev@googlegroups.com.
>> >> To view this discussion on the web visit
>> >>
>> >> https://groups.google.com/d/msgid/kubernetes-dev/607a022f-859f-4f8e-a38e-b0455ad9c3f0%40googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "Kubernetes developer/contributor discussion" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to kubernetes-dev+unsubscribe@googlegroups.com.
>> > To post to this group, send email to kubernetes-dev@googlegroups.com.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msgid/kubernetes-dev/CAA8S17GP9B3ejYmMPYvRnWjy1Tq9qJAXDQiqthhcjuXRE7wKbg%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Kubernetes developer/contributor discussion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to kubernetes-dev+unsubscribe@googlegroups.com.
>> To post to this group, send email to kubernetes-dev@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/kubernetes-dev/-8256276560176115382%40unknownmsgid.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-dev+unsubscribe@googlegroups.com.
> To post to this group, send email to kubernetes-dev@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kubernetes-dev/CAB_J3bYsVk5HSdJx_A%3DKx8iWdapc2NnsUnsv6n9QorhvRKi2Nw%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAA8S17E_-w8KVUoSXcD7oiLraWetdJDWk%2BVBpWKoZpFAfcjDzA%40mail.gmail.com.To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
Message has been deleted
Mohammad Mahzoun
Oct 18, 2017, 9:26:36 AM10/18/17
to Kubernetes developer/contributor discussion
Is there a solution to isolate metrics of each namespace for its users?
Solly Ross
Oct 19, 2017, 1:36:26 PM10/19/17
to Mohammad Mahzoun, Kubernetes developer/contributor discussion
> Is there a solution to isolate metrics of each namespace for its users?
No, not with Heapster. If you want that capability, you'll need to use metrics-server,
and the resource metrics API, which is a proper Kubernetes style API. Then you can create
RBAC policies as if the metrics were normal Kubernetes objects.
Best Regards,
Solly Ross
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages