Description
What happened?
If a user has permission to approve or sign CSRs for a whole domain, they cannot delegate some part of that domain to another role.
What did you expect to happen?
The escalation check on RBAC creation should not erroneously tell you that you can't escalate, when you are not escalating.
How can we reproduce it (as minimally and precisely as possible)?
$ cat /tmp/setup.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: uber-csr-approver
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- apiGroups:
- certificates.k8s.io
resourceNames:
- example.com/*
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: delegator-uber-csr-approver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: uber-csr-approver
subjects:
- kind: ServiceAccount
name: delegator
namespace: csr-test
---
apiVersion: v1
kind: Namespace
metadata:
name: csr-test
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: delegator
namespace: csr-test
$ kubectl apply -f /tmp/setup.yaml
clusterrole.rbac.authorization.k8s.io/uber-csr-approver created
clusterrolebinding.rbac.authorization.k8s.io/delegator-uber-csr-approver created
namespace/csr-test created
serviceaccount/delegator created
$ cat /tmp/delegate.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: specific-csr-approver
rules:
- apiGroups:
- certificates.k8s.io
resourceNames:
- example.com/specific
resources:
- signers
verbs:
- approve
$ kubectl --as system:serviceaccount:csr-test:delegator apply -f /tmp/delegate.yaml
Error from server (Forbidden): error when creating "/tmp/csr.yaml": clusterroles.rbac.authorization.k8s.io "specific-csr-approver" is forbidden: user "system:serviceaccount:csr-test:delegator" (groups=["system:serviceaccounts" "system:serviceaccounts:csr-test" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["certificates.k8s.io"], Resources:["signers"], ResourceNames:["example.com/specific"], Verbs:["approve"]}Anything else we need to know?
No response
Kubernetes version
$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"17b7accf8", GitTreeState:"clean", BuildDate:"2023-08-11T12:23:21Z", GoVersion:"go1.19.10", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.9+aa37255", GitCommit:"e782f8ba0e57d260867ea108b671c94844780ef2", GitTreeState:"clean", BuildDate:"2023-11-21T19:15:07Z", GoVersion:"go1.19.13 X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}
Cloud provider
N/A
OS version
N/A
Install tools
N/A
Container runtime (CRI) and version (if applicable)
N/A
Related plugins (CNI, CSI, ...) and versions (if applicable)
N/A
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Backlog