Bug: Permissions for authorization introspection APIs not behaving as expected (SSRR, SSAR) #3809
Description
Describe the bug
Creating SelfSubjectAccessReveiws and SelfSubjectRulesReviews fails with unauthorized even if the user should have access according to ClusterRole+ClusterRoleBinding in a workspace.
Steps To Reproduce
- Create new workspace
kubectl create-workspace ssrr-poc - Deploy the ClusterRole + ClusterRoleBinding below:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: introspection
rules:
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- selfsubjectrulesreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: introspection-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: introspection
subjects:
- kind: User
name: oidc:[email protected]
- kind: Group
name: system:authenticatedSelfSubjectAccessReviews:
run kubectl auth can-i create selfsubjectaccessreviews --as=oidc:[email protected] --as-group=system:authenticated
SelfSubjectRulesReviews:
kubectl create --as=oidc:[email protected] -oyaml --validate=false -f - <<EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
spec:
namespace: default
EOFExpected Behaviour
SelfSubjectAccessReviews:
Expected: Valid response with result.
Observed: Fails with HTTP status 403
SelfSubjectRulesReviews:
Expected: Valid response with result
Observed: Error from server (Forbidden): error when creating "STDIN": selfsubjectrulesreviews.authorization.k8s.io is forbidden: User "oidc:[email protected]" cannot create resource "selfsubjectrulesreviews" in API group "authorization.k8s.io" at the cluster scope: access denied
Additional Context
Creating a ClusterRoleBinding to cluster-admin expectedly allows the user to perform both actions.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status