Request Help to Specify --authorization-mode in API Model for k8s RBAC

[robbiezhang]

Is this a request for help?:
yes

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

k8s 1.6+ supports RBAC/ABAC. However, it requires the API server start with extra parameters, e.g. --authorization-mode=RBAC,ABAC --authorization-policy-file=mypolicy.json

Currently, there is no way to specify them in the API model.

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm)
Kubernetes 1.6+

What happened:
I'm unable to enable the RBAC for my cluster.

What you expected to happen:
In API model, I can define the --authorization-mode or --authorization-policy-file for apiserver.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
You can specify multiple mode in the --authorization-mode, e.g. --authorization-mode=RBAC,ABAC. It's important for RBAC, since RBAC requires initial super user to setup the other roles.

[anhowe]

Here is a useful intro to enable k8s RBAC: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/. Consider enabling with AAD.

[Globegitter]

@anhowe How does this tutorial explain how to enable RBAC? All it says is From Kubernetes 1.6 onwards, RBAC policies are enabled by default. and then it explains how to use RBAC. How can this be enabled via AAD?

[robbiezhang]

One more thing: To allow the default user (client certificate with subject: CN=client) have the permission to create/edit all ClusterRoles and Roles, it must have all the permissions "via an RBAC role binding". The easiest way is to make the default user in the system:masters group. In other words, add the organization (system:masters) into the subject of the certificate, i.e. CN=client/O=system:masters.

[Globegitter]

@robbiezhang That almost did the trick for me thanks :) Also needed to add a ServiceAccount and Rolebinding for heapster and a ServiceAccount for kube-dns (has default RoleBinding). See: https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/rbac/heapster-rbac.yaml & https://github.com/kubernetes/heapster/blob/master/deploy/kube-config/google/heapster.yaml as well as https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/kubedns-sa.yaml

[Anmorata]

I'm having the same problem with RBAC. cant activate it. tried adding in kube-apiserver.yaml
--authorization-mode=RBAC
but after restart the field disappears. (I edited the yaml in kubernetes/manifest)
did you find any solution?

[robbiezhang]

@Anmorata interesting, I didn't have this problem. Which k8s version do you use? It's only available after v1.6.0. I tried on v1.6.2 and v1.6.6, both works.

[Anmorata]

I'm using version 1.6.6. installed it with acs-engine.kube-apiserver starts with
command:
- "/hyperkube"
- "apiserver"
- "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
- "--address=0.0.0.0"
- "--allow-privileged"
- "--insecure-port=8080"
- "--secure-port=443"
- "--cloud-provider=azure"
- "--cloud-config=/etc/kubernetes/azure.json"
- "--service-cluster-ip-range=10.0.0.0/16"
- "--etcd-servers=http://127.0.0.1:2379"
- "--etcd-quorum-read=true"
- "--advertise-address=10.240.255.5"
- "--tls-cert-file=/etc/kubernetes/certs/apiserver.crt"
- "--tls-private-key-file=/etc/kubernetes/certs/apiserver.key"
- "--client-ca-file=/etc/kubernetes/certs/ca.crt"
- "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
- "--storage-backend=etcd2"
- "--v=4"

modified the yaml file and added:
- "--authorization-mode=RBAC"
- "--authorization-policy-file=/etc/auth/policies.jsonl"
- "--authorization-rbac-super-user=kube-admin"
but no luck :)

kubectl get clusterrole returns:No resources found. and cant create any by myself

[robbiezhang]

I guess you need to use ABAC also, since you add the --authorization-policy-file option.
Here is my settings:
"--authorization-mode=RBAC,ABAC"
"--authorization-policy-file=mypolicy.json"

However, the user still doesn’t have permission to create any RBAC role or clusterrole, as it must have all the permissions described in that role via an RBAC role binding
If the user has full permissions via another authorizer (ABAC here), you can grant yourself an existing RBAC role (and the permission to bind that role is checked via the full authorizer chain), aka, run
 
kubectl create clusterrolebinding my-root-user --clusterrole=cluster-admin --user=<your root user>