Kubernetes service account default permissions
It turns out this is a bug in Docker Desktop for Mac's Kubernetes support.
It automatically adds a ClusterRoleBinding
giving cluster-admin
to all service accounts (!). It only intends to give this to service accounts inside the kube-system
namespace.
It was originally raised in docker/for-mac#3694 but fixed incorrectly. I have raised a new issue docker/for-mac#4774 (the original issue is locked due to age).
A quick fix while waiting for the bug to be resolved is to run:
kubectl apply -f - <<EOFapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: docker-for-desktop-bindingroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects:- apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:kube-systemEOF
I don't know if that might cause issues with future Docker Desktop upgrades but it does the job for now.
With that fixed, the code above correctly gives a 403 error, and would require the following to explicitly grant access to the services resource:
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: service-readerrules:- apiGroups: [""] resources: [services] verbs: [get, list]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: test-sa-service-reader-bindingroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: service-readersubjects:- kind: ServiceAccount name: test-sa
A useful command for investigating is kubectl auth can-i --list --as system:serviceaccount
, which shows the rogue permissions were applying to all service accounts:
Resources Non-Resource URLs Resource Names Verbs*.* [] [] [*] [*] [] [*][...]
The same bug exists in Docker-Desktop for Windows.
It automatically adds a ClusterRoleBinding giving cluster-admin to all service accounts (!). It only intends to give this to service accounts inside the kube-system namespace.
This is because in Docker Desktop by default a clusterrolebinding docker-for-desktop-binding
gives cluster-admin
role to all the service accounts created.
For more details check the issue here