Minikube: RBAC is broken

Created on 24 Jul 2017 · 5Comments · Source: kubernetes/minikube

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Minikube version (use minikube version): v0.20.0

Environment:

OS (e.g. from /etc/os-release): Mac
VM Driver: virtualbox
ISO version: minikube-v0.20.0.iso

What happened:
Enabled RBAC via --extra-config=apiserver.Authorization.Mode=RBAC.

kubedns fails:

E0724 10:00:32.313124       1 reflector.go:199] k8s.io/dns/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: User "system:serviceaccount:kube-system:default" cannot list services at the cluster scope. (get services)
E0724 10:00:32.442709       1 reflector.go:199] k8s.io/dns/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: User "system:serviceaccount:kube-system:default" cannot list endpoints at the cluster scope. (get endpoints)
E0724 10:00:32.444056       1 reflector.go:199] k8s.io/dns/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.ConfigMap: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system". (get configmaps)
I0724 10:00:32.496263       1 dns.go:174] Waiting for services and endpoints to be initialized from apiserver...

What you expected to happen:
It works and everything spins up successfully.

How to reproduce it (as minimally and precisely as possible):
Run minikube with RBAC and k8s version 1.7.0

Source

gouthamve

Most helpful comment

Thank you @chancez for giving direction. For anyone that doesn't want to google it anymore, sample configuration below.

after applying these rules minikube works again with RBAC:
source: https://github.com/screwdriver-cd-test/config-examples
http://blog.screwdriver.cd/post/161863341372/set-up-screwdriver-in-kubernetes

# Wide open access to the cluster (mostly for kubelet)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-writer
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]

---

# Full read access to the api and resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-reader
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
# Give admin, kubelet, kube-system, kube-proxy god access
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-write
subjects:
  - kind: User
    name: admin
  - kind: User
    name: kubelet
  - kind: ServiceAccount
    name: default
    namespace: kube-system
  - kind: User
    name: kube-proxy
roleRef:
  kind: ClusterRole
  name: cluster-writer
  apiGroup: rbac.authorization.k8s.io

---

# Setup sd-build as a reader. This has to be a
# ClusterRoleBinding to get access to non-resource URLs
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-read
subjects:
  - kind: ServiceAccount
    name: sd-build
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-reader
  apiGroup: rbac.authorization.k8s.io

---

# Setup sd-build as a writer in its namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: sd-build-write
subjects:
  - kind: ServiceAccount
    name: sd-build
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-writer
  apiGroup: rbac.authorization.k8s.io

mcwienczek on 18 Aug 2017

❤17

All 5 comments

The kube-dns addon we package isn't configured to use RBAC. If you want to use RBAC, you need to supply your own addons, (that means turning off the addons with minikube addons disable ... and providing your own configuration.

r2d4 on 24 Jul 2017

We are tracking enabling RBAC or bundling RBAC-enabled addons in #1722

r2d4 on 25 Jul 2017

You could also just give the kube-system service account admin permissions, then everything should work.

chancez on 25 Jul 2017

👍4

Thank you @chancez for giving direction. For anyone that doesn't want to google it anymore, sample configuration below.

# Wide open access to the cluster (mostly for kubelet)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-writer
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]

---

# Full read access to the api and resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-reader
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
# Give admin, kubelet, kube-system, kube-proxy god access
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-write
subjects:
  - kind: User
    name: admin
  - kind: User
    name: kubelet
  - kind: ServiceAccount
    name: default
    namespace: kube-system
  - kind: User
    name: kube-proxy
roleRef:
  kind: ClusterRole
  name: cluster-writer
  apiGroup: rbac.authorization.k8s.io

---

# Setup sd-build as a reader. This has to be a
# ClusterRoleBinding to get access to non-resource URLs
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-read
subjects:
  - kind: ServiceAccount
    name: sd-build
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-reader
  apiGroup: rbac.authorization.k8s.io

---

# Setup sd-build as a writer in its namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: sd-build-write
subjects:
  - kind: ServiceAccount
    name: sd-build
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-writer
  apiGroup: rbac.authorization.k8s.io

mcwienczek on 18 Aug 2017

❤17

Note that upstream kube-dns now configure the controller to use a separate service account: