Turning rbac on then off will "destroy" the cluster

Alexandr_Marchenko · November 24, 2021, 10:05pm

If you have a microk8s cluster without RBAC enabled (which is the default setting) be very careful

In my case, I have turned it on microk8s enable rbac to see how it will forbid access

But then I realized that I did not check behavior without RBAC so decided to turn it off

And as you can guess with RBAC all roles and role bindings were also removed so immediately I have lose all components I tried to configure (e.g. ingress, cert-manager, etc)

Turning RBAC back again won’t recover loosen objects, turning off/on corrupted components is also not possible, for example, ha-cluster complains that if I will do it cluster will be wiped out

So I did break everything in a single command, thankfully it was my playground lab

Will be nice if microk8s before removing RBAC will notify the user what will happen and ask confirmation

neoaggelos · November 25, 2021, 3:30pm

Hi! Can you provide a little more information about the MicroK8s version you are running? This should not happen, after disabling RBAC the MicroK8s cluster should not break.

Can you also provide a little more information about what exactly happened in this case?

Alexandr_Marchenko · November 26, 2021, 8:25am

Version was 1.21 from stable channel

Cluster (microk8s) itself was fine and working, the problem is with all deployments on tops which are dependant on rbac

Like if you setup microk8s, then enable ingress and install cert manager (they both will add a bunch of roles and binding)

Then turn on/off rbac, roles and bindings will be deleted, from logs of ingress controller will see bazillion of error

Hopefully that’s describe it little bit better

xavi · December 2, 2021, 8:16pm

Hi Alexandr_Marchenko:

Haven’t used microk8s myself, but the action of disabling RBAC in microk8s is described on the official repo:

github.com

ubuntu/microk8s/blob/master/microk8s-resources/actions/disable.rbac.sh

#!/usr/bin/env bash

set -e

source $SNAP/actions/common/utils.sh


echo "Disabling RBAC"

echo "Reconfiguring apiserver"
refresh_opt_in_config "authorization-mode" "AlwaysAllow" kube-apiserver
restart_service apiserver
apiserver=$(wait_for_service apiserver)
if [[ $apiserver == fail ]]
then
  echo "apiserver did not start on time. Proceeding."
  sleep 15
else
  # Seems to need to wait a bit anyway
  sleep 5

This file has been truncated. show original

There’s a tmp_manifest="${SNAP_USER_DATA}/tmp/temp.rbac.yaml" file where everything is dumped before it gets removed from Kubernetes:

$KUBECTL get ${type} --all-namespaces --selector kubernetes.io/bootstrapping=rbac-defaults -o yaml >> "${tmp_manifest}"

Maybe the ${tmp_manifest} file is still in your computer and you’re able to recover the manifests from it.

Best regards,

Xavi

Alexandr_Marchenko · December 6, 2021, 9:57am

Really good finding

Indeed seems like it might be a solution for such cases, but at the very end it seems that with microk8s RBAC is something should be enabled from start and never touched again later

PS: At moment wish not to touch it again to check if temp will be saved

Topic		Replies	Views
RBAC in kubernetes (CVE-2019-11253) General Discussions	3	1302	October 24, 2019
Multi-user MicroK8s microk8s docs	1	8158	July 30, 2024
MicroK8s v1.15 released! Announcements	0	1356	June 21, 2019
Protection to namespace in cluster General Discussions	7	1826	August 13, 2021
MicroK8s v1.19 released! microk8s	0	1254	August 28, 2020

Turning rbac on then off will "destroy" the cluster

Related topics