while testing the role based access in the Alibaba container service it's throwing with me an error "pods is forbidden: User "user1" cannot list pods in the namespace "stage"" this is RBAC issue, which i'm not able to figure it where i'm heading it wrong
The RoleBinding Definition
root@kube-master:# kubectl describe rolebinding stage-role-binding -n stage
Name: stage-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: staging
Subjects:
Kind Name Namespace
---- ---- ---------
User user2
The Role Definition
root@kube-master:# kubectl describe role -n stage
Name: staging
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get list watch create update patch delete]
pods [] [] [get list watch create update patch delete]
replicasets [] [] [get list watch create update patch delete]
deployments.apps [] [] [get list watch create update patch delete]
pods.apps [] [] [get list watch create update patch delete]
replicasets.apps [] [] [get list watch create update patch delete]
deployments.extensions [] [] [get list watch create update patch delete]
pods.extensions [] [] [get list watch create update patch delete]
replicasets.extensions [] [] [get list watch create update patch delete]
One pod is running well in the stage namespace
root@kube-master:# kubectl get pods -n stage
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 10m
Defining context
root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.
Testing RBAC
root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"
Not sure from where user1
is coming and throwing the RBAC Error
There is only context is set for user2
root@kube-master:# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
stage kubernetes user2 stage
This is how i created the user
openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500
kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
The RoleBinding is for user user2, not for user1. That's why you are getting RBAC error.
Setting context for user user2 does not mean that kubernetes will identify this user as user2. It depends on the credential you use. If the used credential is of user user-x, then kubernetes will treat it as user-x. The context user is for kubectl to find user credential info. To understand kubernetes authentication see here.
The credential you used there resolved to user user1. So you should update your RoleBinding to user1.
After updated question
For certificate authetication, CN will be the username (ref: here).
In your certificate "/CN=user1/O=8gwifi.org"
, so username will be user1 not user2.