Asking for help? Comment out what you need so we can get more information to help you!
Kubernetes version: 1.23
Cloud being used: AWS
Installation method: EKS
Host OS: Bottlerocket
CNI and version: vpc-cni 1.12.1-eksbuild.1
CRI and version: containerd (I am not sure about the version but I do not think it is matter for my question if I am wrong, just ask and I will post it)
So I am trying to add permissions for a certain user(I will treat the signed certificate subject as the user for convenience). The permission I am trying to attach is the ability to exec command in one of the containers inside a pod. I created a role with the following spec:
kind: Role metadata: name: exec-pod-role rules: - verbs: - list - get apiGroups: - "*" resources: - pods - pods/log - verbs: - "*" apiGroups: - "*" resources: - pods/exec
I know it is more than what I should give but I try to make it work and then minimize the amount of permissions.
Then attached it to my SA using the following rolebinding:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: exec-pod-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: exec-pod-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test-user
After applying those on a test namesapce, I try to do the following using the test-user:
kubectl auth can-i get pods -n test yes kubectl auth can-i list pods -n test yes kubectl auth can-i create pods -n test no kubectl auth can-i create pods/exec -n test no kubectl auth can-i get pods/exec -n test yes kubectl auth can-i create pods --subresource=exec -n test no kubectl auth can-i get pods --subresource=exec -n test no
So I can not exec a command in a pod. Can anyone help me with understanding what am I doing wrong?