kcp icon indicating copy to clipboard operation
kcp copied to clipboard

Published 20 hours ago verified publisher icon kcp-dev

bug: admin permissions and resourceNames=* don't take effect for apibinding admission

Open ncdc opened this issue 2 years ago • 5 comments

Describe the bug

When creating an APIBinding, the APIBinding admission logic performs a SAR with the following attributes:

bindAttr := authorizer.AttributesRecord{
		User:            user,
		Verb:            "bind",
		APIGroup:        apisv1alpha1.SchemeGroupVersion.Group,
		APIVersion:      apisv1alpha1.SchemeGroupVersion.Version,
		Resource:        "apiexports",
		Name:            apiExportName,
		ResourceRequest: true,
	}

if the user has admin permissions and/or a ClusterRole that grants bind to resourceNames: ["*"], their attempt to create the APIBinding is rejected with apibindings.apis.kcp.dev "test" is forbidden: unable to create APIImport: missing verb='bind' permission on apiexports

Steps To Reproduce

See description

Expected Behaviour

admin permissions and resourceNames=* would apply when checking binding permissions

Additional Context

No response

ncdc avatar Sep 09 '22 19:09 ncdc

@sttts @s-urbaniak @stevekuznetsov

ncdc avatar Sep 09 '22 19:09 ncdc

is there some workaround until it's fixed?

sparkoo avatar Sep 12 '22 05:09 sparkoo

workaround is to create ClusterRole + ClusterRoleBinding like this, in a workspace where trying to bind to API:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bind-apiexport-spi
rules:
- apiGroups:
  - apis.kcp.dev
  resourceNames:
  - spi
  resources:
  - apiexports
  verbs:
  - bind
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-apiexport-spi
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bind-apiexport-spi
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rh-sso:mvalarh2

sparkoo avatar Sep 12 '22 12:09 sparkoo

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kcp-ci-bot avatar Apr 12 '24 08:04 kcp-ci-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

kcp-ci-bot avatar May 12 '24 08:05 kcp-ci-bot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

kcp-ci-bot avatar Jun 11 '24 08:06 kcp-ci-bot

@kcp-ci-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

kcp-ci-bot avatar Jun 11 '24 08:06 kcp-ci-bot