Cluster information:
Kubernetes version:
Client Version: v1.30.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.26.11
Cloud being used: (put bare-metal if not on a public cloud) : bare-metal
Installation method: kubeadm
Host OS: Ubuntu 20.04
CNI and version: Flannel
CRI and version: containerd://1.6.24
Trying to exec into a pod from another pod seeing permission issue. However I have given the required permission needed to exec into a pod to a service account and marked it in the pod spec from where i will try to exec to the pod. Below are the resource configuration details.
validator_sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: validator
namespace: uctc
Role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: validator-exec-all
namespace: uctc
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
Rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: validator-exec-all-binding
namespace: uctc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: validator-exec-all
subjects:
- kind: ServiceAccount
name: validator
namespace: uctc
When I try run the test.sh script which is basically tries to do a list the pod. Even that is not working.
test.sh
# Point to the internal API server hostname
APISERVER=https://kubernetes.default.svc
# Path to ServiceAccount token
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
# Read this Pod's namespace
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
# Read the ServiceAccount bearer token
TOKEN=$(cat ${SERVICEACCOUNT}/token)
# Reference the internal certificate authority (CA)
CACERT=${SERVICEACCOUNT}/ca.crt
# Explore the API with TOKEN
#curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/${NAMESPACE}/pods/h2load/exec?command=ls&stdin=true&stdout=true&tty=false
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/${NAMESPACE}/pods/h2load
[root@validator-pod-sa /]# ./test.sh
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "uctc \"pods\" is forbidden: User \"system:serviceaccount:uctc:validator\" cannot get resource \"uctc/h2load\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "pods",
"kind": "uctc"
},
"code": 403
}
However when I try to run using kubectl command without “as” option like below it works.
[root@validator-pod-sa /]# ./kubectl get pod
NAME READY STATUS RESTARTS AGE
h2load 1/1 Running 0 158d
nginx-controller-65f4cdc5-2vrgg 1/1 Running 0 159d
nginx-ingress-default-backend-7f4b76bc9f-ctjqx 1/1 Running 0 159d
uctc-cntlr-54f97ddf6-48z5c 1/1 Running 0 13d
uctc-tap-2qxm8 1/1 Running 0 13d
uctc-tap-m5xkn 1/1 Running 0 13d
uctc-tap-qplnz 1/1 Running 0 13d
validator-pod 1/1 Running 0 7d16h
validator-pod-sa 1/1 Running 0 19h
[root@validator-pod-sa /]#