Adding permission to exec commands in containers inside pods in a certain namespace

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.23
Cloud being used: AWS
Installation method: EKS
Host OS: Bottlerocket
CNI and version: vpc-cni 1.12.1-eksbuild.1
CRI and version: containerd (I am not sure about the version but I do not think it is matter for my question if I am wrong, just ask and I will post it)

So I am trying to add permissions for a certain user(I will treat the signed certificate subject as the user for convenience). The permission I am trying to attach is the ability to exec command in one of the containers inside a pod. I created a role with the following spec:

kind: Role
metadata:
  name: exec-pod-role
rules:
  - verbs:
      - list
      - get
    apiGroups:
      - "*"
    resources:
      - pods
      - pods/log
  - verbs:
      - "*"
    apiGroups:
      - "*"
    resources:
      - pods/exec

I know it is more than what I should give but I try to make it work and then minimize the amount of permissions.
Then attached it to my SA using the following rolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: exec-pod-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: exec-pod-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test-user

After applying those on a test namesapce, I try to do the following using the test-user:

kubectl auth can-i get pods -n test
yes

kubectl auth can-i list pods -n test
yes

kubectl auth can-i create pods -n test
no

kubectl auth can-i create pods/exec -n test
no

kubectl auth can-i get pods/exec -n test
yes

kubectl auth can-i create pods --subresource=exec -n test
no

kubectl auth can-i get pods --subresource=exec -n test
no

So I can not exec a command in a pod. Can anyone help me with understanding what am I doing wrong?

1 Like

I think verb “create” is missed out as well as other I may recommend. Please find below a definition for role to manage pods, deployments and replicasets.

If you only want to manage pod you may need to remove deployment and replicasets from the resource list.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: developement
  name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods", "pods/attach", "pods/exec", "pods/log"]
  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]