This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 295
Enabling RBAC by default #655
Milestone
Comments
My vote is "yes". The sooner the better. |
I vote yes, but I suggest to add a flag to disable rbac. To have a good UX
add a warning, when the cluster is bootstrapping, linking to kube-was docs.
On Wed, 17 May 2017 at 01:36, Daniel Martins ***@***.***> wrote:
My vote is "yes". The sooner the better.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#655 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFbljKZ-vH_iuAxGt_ghUOzfF2VS74ecks5r6jMEgaJpZM4NdMco>
.
--
Giancarlo Rubio
|
My vote is yes. In GKE, RBAC is enabled by default on all container clusters running Kubernetes version 1.6 or later. |
I also vote yes, maybe to a link documentation footnote to the RBAC
permissive policy listed on official RBAC Documentation.
Permissive RBAC Permissions
You can replicate a permissive policy using RBAC role bindings.
*WARNING: The following policy allows ALL service accounts to act as
cluster administrators. Any application running in a container receives
service account credentials automatically, and could perform any action
against the API, including viewing secrets and modifying permissions. This
is not a recommended policy.*
kubectl create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
--user=admin \
--user=kubelet \
--group=system:serviceaccounts
2017-05-17 16:48 GMT+02:00 Camil Blanaru <[email protected]>:
… My vote is yes. In GKE, RBAC is enabled by default on all container
clusters running Kubernetes version 1.6 or later.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#655 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABCbOcBfwwULOSLw4uSwvltLNbh24L7aks5r6wiqgaJpZM4NdMco>
.
|
When we do this, we can likely remove the note in |
Merged
Merged
mumoshu
added a commit
to mumoshu/kube-aws
that referenced
this issue
Aug 30, 2017
camilb
added a commit
to camilb/kube-aws
that referenced
this issue
Oct 9, 2017
…-aws * 'master' of https://github.com/kubernetes-incubator/kube-aws: (55 commits) Bump default k8s to 1.7.5 Fix the scheduling and permissions issue of CA by fixing the conditional in stack-template.json for worker and controller stacks, while making configuration easier. Fix tests Read worker-ca-key.pem instead of ca-key.pem when certs are managed by kube-aws and TLS bootstrapping is enabled. Formerly, ca-key.pem was read to be install on controller nodes to support TLS boostrapping. However, we have the CA dedicated for TLS boootstrapping today, instead of the one used more widely. Fix the bug that symlinks under `credentials` were not accessible from anywhere other than the parent of the `credentials` dir Fix the bug that the contents of ca-key.pem was that of ca.pem Add more informational log messages to the render-credentials command Fix a degradation in message ordering As explained in kubernetes-retired#877 (comment) Fix the existing CA support It seems to have broken at some point. Fix the json parsing error when clusterAutoscalerSupport is enabled on node pools Fix too permissive IAM policy for CA associated to controller nodes Fix kubernetes-retired#903 Add spot fleet support for the `awsNodeLabels` feature Resolves kubernetes-retired#803 Drop the ability to disable RBAC via cluster.yaml Enable RBAC by default Resolves kubernetes-retired#655 Fix the hard-coded duration until an etcd cert generated by kube-aws expires Fix kubernetes-retired#892 Fix test timeouts in CI Resolves kubernetes-retired#893 Fix ca-key.pem handling and tests Create symlinks in test helpers Dedicated worker CA and Etcd trusted CA bundle Fix encrypted files regen tests ...
kylehodgetts
pushed a commit
to HotelsDotCom/kube-aws
that referenced
this issue
Mar 27, 2018
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Thanks to huge efforts from multiple kube-aws contributors @gianrubio @danielfm @camilb, kube-aws supports RBAC, which is still disabled by default.
On the other hand, people seem to start noticing the default behavior of kubernetes/kube-aws "
deploy the token with the cluster-admin privilege to every pod" is a security hole/a major attack surface:
Ref: https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/
So - is it time enable RBAC by default?
Can we just enable it since v0.9.7(the next release), or hopefully v0.9.8?
The text was updated successfully, but these errors were encountered: