Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

when you has a default kubeconfig ,using kubectl auth can-i --list --token still get the kubeconfig privielge #1657

Open
INT2ECALL opened this issue Sep 23, 2024 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@INT2ECALL
Copy link

What would you like to be added:
if you are using command like this

kubectl --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN auth can-i --list

and you have a default kubeconfig in admin.conf,kubectl also will use the kubeconfig certdata but not use the token,i think if you use --token that mean you want to get is what the token priviege is not the kubeconfig

Why is this needed:
easy and fast to know the what the sa can do

@INT2ECALL INT2ECALL added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 23, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 23, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@INT2ECALL
Copy link
Author

INT2ECALL commented Sep 23, 2024

what i am doing is do some fix in ToRESTConfig function in clientset.go

	if len(clientConfig.BearerToken) > 0 {
		clientConfig.TLSClientConfig.CAData = nil
		clientConfig.TLSClientConfig.KeyData = nil
	}

func (f *MatchVersionFlags) ToRESTConfig() (*rest.Config, error) {
if err := f.checkMatchingServerVersion(); err != nil {
return nil, err
}
clientConfig, err := f.Delegate.ToRESTConfig()

if len(clientConfig.BearerToken) > 0 {
	clientConfig.TLSClientConfig.CAData = nil
	clientConfig.TLSClientConfig.KeyData = nil
}

if err != nil {
	return nil, err
}
// TODO we should not have to do this.  It smacks of something going wrong.
setKubernetesDefaults(clientConfig)
return clientConfig, nil

}

@ardaguclu
Copy link
Member

First of all flags should not be located before the command. In that case;

kubectl auth can-i --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN **--list**

should be used like this.

and you have a default kubeconfig in admin.conf,kubectl also will use the kubeconfig certdata but not use the token,i think if you use --token that mean you want to get is what the token priviege is not the kubeconfig

Are you saying that when token is used, certdata in kubeconfig should be used?

@INT2ECALL
Copy link
Author

i mean ,when you use command

kubectl auth can-i --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN **--list**

and if you have kubeconfig ,it also use kubeconfig,not use this token to auth apiserver

@ardaguclu
Copy link
Member

I think, running this command with -v=9 shed some light upon what happens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Development

No branches or pull requests

3 participants