kubectl config view --flatten
2,859 views
Skip to first unread message
Yakov Sobolev
Sep 13, 2018, 8:44:01 AM9/13/18
to kubernetes-sig-auth
I discovered interesting behavior in using --flatten flag in kubectl config view command.
I created a user that does not have any RoleBindings
I modified the ClusterRoleBinding system:basic-user which I think is the only binding granted to all users by default.
When that user kubectl config view all sensitive data is REDACTED
certificate-authority-data: REDACTED
client-certificate-data: REDACTED
client-key-data: REDACTEDHowever, when that user adds --flatten flag all sensitive data is displayed
Is it a bug?
Is there a way to prevent it?
David Eads
Sep 13, 2018, 8:45:54 AM9/13/18
to ysob...@ashland.edu, kubernetes-sig-auth
The purpose of flatten is to produce a portable, self-contained kubeconfig file. To do that it must show the sensitive data, otherwise the output is not portable.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To post to this group, send email to kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/6958ba52-2d55-4e94-8263-20c2443ac666%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jordan Liggitt
Sep 13, 2018, 9:00:24 AM9/13/18
to David Eads, ysob...@ashland.edu, kubernetes-sig-auth
Also, REDACTED was not quite accurate... the reason for omitting that was for brevity/readability, not security. See discussion in https://github.com/kubernetes/kubernetes/issues/61573 and change in https://github.com/kubernetes/kubernetes/pull/66023
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CAFS1MjLxGYwu3JXsb5WL%2BqfypD-ttYdw9y4mD037Y_2g3n8f%2BA%40mail.gmail.com.
Yakov Sobolev
Sep 13, 2018, 9:02:28 AM9/13/18
to kubernetes-sig-auth
On Thursday, September 13, 2018 at 12:45:54 PM UTC, David Eads wrote:
The purpose of flatten is to produce a portable, self-contained kubeconfig file. To do that it must show the sensitive data, otherwise the output is not portable.
On Thu, Sep 13, 2018 at 8:44 AM Yakov Sobolev <ysob...@ashland.edu> wrote:
I discovered interesting behavior in using --flatten flag in kubectl config view command.I created a user that does not have any RoleBindingsI modified the ClusterRoleBinding system:basic-user which I think is the only binding granted to all users by default.When that user kubectl config view all sensitive data is REDACTED
client-certificate-data: REDACTED
client-key-data: REDACTEDHowever, when that user adds --flatten flag all sensitive data is displayedIs it a bug?Is there a way to prevent it?
I understand that. But is there a way to revoke that ability from the user? Why is it granted by default? Users cannot see any other objects unless they are granted a Role.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.
Jordan Liggitt
Sep 13, 2018, 9:17:23 AM9/13/18
to kubernete...@googlegroups.com
On Thu, Sep 13, 2018, at 9:02 AM, Yakov Sobolev wrote:
I understand that. But is there a way to revoke that ability from the user? Why is it granted by default? Users cannot see any other objects unless they are granted a Role.
`kubectl config view` is just displaying the content of the local kubeconfig file. There is no API request being made or authorized.
Reply all
Reply to author
Forward
0 new messages