Asking for help? Comment out what you need so we can get more information to help you!
Cluster information:
Kubernetes version: 1.23
Cloud being used: AWS
Installation method: EKS
Host OS: Bottlerocket
CNI and version: vpc-cni 1.12.1-eksbuild.1
CRI and version: containerd (I am not sure about the version but I do not think it is matter for my question if I am wrong, just ask and I will post it)
So I am trying to add permissions for a certain user(I will treat the signed certificate subject as the user for convenience). The permission I am trying to attach is the ability to exec command in one of the containers inside a pod. I created a role with the following spec:
kind: Role
metadata:
name: exec-pod-role
rules:
- verbs:
- list
- get
apiGroups:
- "*"
resources:
- pods
- pods/log
- verbs:
- "*"
apiGroups:
- "*"
resources:
- pods/exec
I know it is more than what I should give but I try to make it work and then minimize the amount of permissions.
Then attached it to my SA using the following rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: exec-pod-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: exec-pod-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test-user
After applying those on a test namesapce, I try to do the following using the test-user:
kubectl auth can-i get pods -n test
yes
kubectl auth can-i list pods -n test
yes
kubectl auth can-i create pods -n test
no
kubectl auth can-i create pods/exec -n test
no
kubectl auth can-i get pods/exec -n test
yes
kubectl auth can-i create pods --subresource=exec -n test
no
kubectl auth can-i get pods --subresource=exec -n test
no
So I can not exec a command in a pod. Can anyone help me with understanding what am I doing wrong?