【Help】 The problem of RBAC authorization based on the "name.o" field in the certificate

General Discussions
1

Hello, everyone

Kubernetes version: v1.31.2-1.1
Installation method: kubeadm init
Host OS: Ubuntu 22.04 LTS
CNI and version: calico v3.29.0
CRI and version: containerd://2.0.0

Step One: Certificate of formation

mkdir -p /download/ssl

cat > /download/ssl/ca-config.json <<EOF
{
“signing”: {
“default”: {
“expiry”: “876000h”
},
“profiles”: {
“kubernetes”: {
“expiry”: “876000h”,
“usages”: [
“signing”,“key encipherment”,
“server auth”,
“client auth”
]
}
}
}
}
EOF

cat > /download/ssl/test-user-csr.json <<EOF
{
“CN”: “test-user”,
“key”: {
“expiry”: “876000h”
},
“key”: {
“algo”: “rsa”,
“size”: 4096
},
“hosts”: ,
“name”: [
{
“C”: “CN”,
“ST”: “Jiangsu”,
“L”: “Nanjing”,
“O”: “dev-group”,
“OU”: “IT”
}
]
}
EOF

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=/download/ssl/ca-config.json -profile=kubernetes /download/ssl/test-user-csr.json | cfssljson -bare test-user

Step Two: Generate kubeconfig

kubectl config set-cluster my-k8s-cluster
–certificate-authority=/etc/kubernetes/pki/ca.crt
–embed-certs=true
–server=https://192.168.174.110:6443
–kubeconfig=/download/ssl/test-user.kubeconfig

kubectl config set-credentials test-user
–client-key=/download/ssl/test-user-key.pem
–client-certificate=/download/ssl/test-user.pem
–embed-certs=true
–kubeconfig=/download/ssl/test-user.kubeconfig

kubectl config set-context my-k8s-context
–cluster=my-k8s-cluster
–user=test-user
–namespace=test-k8s
–kubeconfig=/download/ssl/test-user.kubeconfig

kubectl config use-context my-k8s-context --kubeconfig=/download/ssl/test-user.kubeconfig
Switched to context “my-k8s-context”.

Step Three: Generate RBAC

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: test-k8s
name: read-only-operation-role
rules:

  • apiGroups: [“”,“apps”,“networking.k8s.io”]
    resources: [“deployments”,“pods”,“services”,“endpoints”,“ingresses”,“persistentvolumeclaims”]
    verbs: [“get”,“list”,“watch”]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only-operation-cluster-role
rules:

  • apiGroups: [“”,“storage.k8s.io”]
    resources: [“storageclasses”,“persistentvolumes”,“users”]
    verbs: [“get”,“list”,“watch”,“impersonate”]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-only-operation-role-binding
namespace: test-k8s
subjects:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-only-operation-cluster-role-binding
subjects:

Step Four: kubectl get test

kubectl get deployments,pods -n test-k8s -o wide --kubeconfig=/download/ssl/test-user.kubeconfig

Error from server (Forbidden): deployments.apps is forbidden: User “test-user” cannot list resource “deployments” in API group “apps” in the namespace “test-k8s”
Error from server (Forbidden): pods is forbidden: User “test-user” cannot list resource “pods” in API group “” in the namespace “test-k8s”

Why is the error forbidden?

My requirement is based on the name.o field in the certificate, as a user group, based on the user group for RBAC authorization access

When configuring RBAC authorization, is the “name.o” field in the certificate supported?

subjects:

  • kind: Group
    name: dev-group
2

Hi,
Have you tried configuring RBAC for the test-user to make sure the group mapping is causing problems and nothing something else?
Also I am not sure the way you used to generate certificate will actually work.
Check Certificates and Certificate Signing Requests | Kubernetes guide.