Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The kubevirt:view ClusterRole does not provide permissions for users to access VirtualMachineCluster{Instancetype,Preference} cluster scoped resources when bound using RoleBinding #10437

Closed
lyarwood opened this issue Sep 14, 2023 · 1 comment · Fixed by #10438

Comments

@lyarwood
Copy link
Member

lyarwood commented Sep 14, 2023

/area instancetype
/assign

What happened:

$subject, the kubevirt:view ClusterRole doesn't provide access to cluster scoped resources when bound through a RoleBinding:

$ oc whoami
kube:admin

$ oc get user/test -o json 
{
    "apiVersion": "user.openshift.io/v1",
    "groups": null,
    "identities": [
        "test:test"
    ],
    "kind": "User",
    "metadata": {
        "creationTimestamp": "2023-09-13T06:32:27Z",
        "name": "test",
        "resourceVersion": "2296746",
        "uid": "82589434-61c0-43f9-b583-4cdf1c07a449"
    }
}
$ oc get rolebinding/view -o json 
{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "RoleBinding",
    "metadata": {
        "creationTimestamp": "2023-09-12T00:26:26Z",
        "name": "view",
        "namespace": "default",
        "resourceVersion": "299686",
        "uid": "41047a8a-9d95-42bc-9f59-667ae114ea5c"
    },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "view"
    },
    "subjects": [
        {
            "apiGroup": "rbac.authorization.k8s.io",
            "kind": "User",
            "name": "test"
        }
    ]
}

$ oc get clusterrole/view -o json | jq -r '.rules[] | select(.apiGroups==["instancetype.kubevirt.io"])'
{
  "apiGroups": [
    "instancetype.kubevirt.io"
  ],
  "resources": [
    "virtualmachineinstancetypes",
    "virtualmachineclusterinstancetypes",
    "virtualmachinepreferences",
    "virtualmachineclusterpreferences"
  ],
  "verbs": [
    "get",
    "list",
    "watch"
  ]
}

$ oc whoami
test 

$ oc get virtualmachineclusterinstancetypes
Error from server (Forbidden): virtualmachineclusterinstancetypes.instancetype.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachineclusterinstancetypes" in API group "instancetype.kubevirt.io" at the cluster scope

What you expected to happen:

A separate ClusterRole should be provided by KubeVirt that can be bound with a ClusterRoleBinding allowing access to these cluster scoped resources.

How to reproduce it (as minimally and precisely as possible):
As above.

Additional context:
Add any other context about the problem here.

Environment:

  • KubeVirt version (use virtctl version): N/A
  • Kubernetes version (use kubectl version): N/A
  • VM or VMI specifications: N/A
  • Cloud provider or hardware configuration: N/A
  • OS (e.g. from /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
  • Install tools: N/A
  • Others: N/A
@lyarwood
Copy link
Member Author

lyarwood commented Sep 14, 2023

Reproduced the issue and verified the instancetype.kubevirt.io:view ClusterRole from the PR against a vanilla kubevirtci env without the User kind from OCP:

$ openssl genrsa -out lyarwood.pem
$ openssl req -new -key lyarwood.pem -out lyarwood.csr -subj "/CN=lyarwood"

$ ./cluster-up/kubectl.sh apply -f - <<EOF
---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user-request-lyarwood
spec:
  groups:
  - system:authenticated
  request:  $(cat lyarwood.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 315569260
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF
certificatesigningrequest.certificates.k8s.io/user-request-lyarwood created

$ ./cluster-up/kubectl.sh certificate approve user-request-lyarwood
$ ./cluster-up/kubectl.sh get csr user-request-lyarwood -o jsonpath='{.status.certificate}' | base64 -d > lyarwood-user.crt

$ cp $(./cluster-up/kubeconfig.sh) ./.lyarwood-config
$ ./cluster-up/kubectl.sh config --kubeconfig ./.lyarwood-config set-credentials lyarwood --client-certificate=lyarwood-user.crt --client-key=lyarwood.pem --embed-certs=true
$ ./cluster-up/kubectl.sh config --kubeconfig ./.lyarwood-config set-context lyarwood@kubernetes --cluster=kubernetes --user=lyarwood

$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config apply -f - <<EOF
> apiVersion: v1
kind: Namespace
metadata:
  name: lyarwood
spec: {}
status: {}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lyarwood
  namespace: lyarwood
subjects:
- kind: User
  name: lyarwood
  apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: view
EOF

$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config config use-context lyarwood@kubernetes
$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config get virtualmachineclusterinstancetypes
selecting podman as container runtime
Error from server (Forbidden): virtualmachineclusterinstancetypes.instancetype.kubevirt.io is forbidden: User "lyarwood" cannot list resource "virtualmachineclusterinstancetypes" in API group "instancetype.kubevirt.io" at the cluster scope

$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config config use-context kubernetes-admin@kubernetes
selecting podman as container runtime
Switched to context "kubernetes-admin@kubernetes".
$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config apply -f - << EOF
> kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lyarwood-instancetype-view
subjects:
- kind: User
  name: lyarwood
  apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: instancetype.kubevirt.io:view
EOF
selecting podman as container runtime
clusterrolebinding.rbac.authorization.k8s.io/lyarwood-instancetype-view created

$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config config use-context lyarwood@kubernetes
$ ./cluster-up/kubectl.sh --kubeconfig ./.lyarwood-config get virtualmachineclusterinstancetypes
selecting podman as container runtime
No resources found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants