Kubernetes service account default permissions Kubernetes service account default permissions kubernetes kubernetes

Kubernetes service account default permissions


kubernetes permissions docker-desktop kubernetes-security

It turns out this is a bug in Docker Desktop for Mac's Kubernetes support.

It automatically adds a ClusterRoleBinding giving cluster-admin to all service accounts (!). It only intends to give this to service accounts inside the kube-system namespace.

It was originally raised in docker/for-mac#3694 but fixed incorrectly. I have raised a new issue docker/for-mac#4774 (the original issue is locked due to age).

A quick fix while waiting for the bug to be resolved is to run:

kubectl apply -f - <<EOFapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:  name: docker-for-desktop-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: cluster-adminsubjects:- apiGroup: rbac.authorization.k8s.io  kind: Group  name: system:serviceaccounts:kube-systemEOF

I don't know if that might cause issues with future Docker Desktop upgrades but it does the job for now.

With that fixed, the code above correctly gives a 403 error, and would require the following to explicitly grant access to the services resource:

apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: service-readerrules:- apiGroups: [""]  resources: [services]  verbs: [get, list]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: test-sa-service-reader-bindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: service-readersubjects:- kind: ServiceAccount  name: test-sa

A useful command for investigating is kubectl auth can-i --list --as system:serviceaccount, which shows the rogue permissions were applying to all service accounts:

Resources                       Non-Resource URLs   Resource Names   Verbs*.*                             []                  []               [*]                                [*]                 []               [*][...]

kubernetes permissions docker-desktop kubernetes-security

The same bug exists in Docker-Desktop for Windows.

It automatically adds a ClusterRoleBinding giving cluster-admin to all service accounts (!). It only intends to give this to service accounts inside the kube-system namespace.

kubernetes permissions docker-desktop kubernetes-security

This is because in Docker Desktop by default a clusterrolebinding docker-for-desktop-binding gives cluster-admin role to all the service accounts created.

For more details check the issue here

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last