dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubermatic

Kubernetes Dashboard fails to authorise with group-based RBAC

Open embik opened this issue 2 years ago • 8 comments

What happened

I wanted to assign RBAC to users accessing my user cluster in KKP. Since they are all in OIDC groups and the KKP setup has OIDC for user clusters enabled, I only assigned group-based RBAC. When those users that only have access via group-based RBAC try to use the Kubernetes Dashboard built into KKP, they are getting errors insinuating that they do not have proper permissions:

nodes is forbidden: User "[email protected]" cannot list resource "nodes" in API group "" at the cluster scope

However, the same users can access the cluster via an OIDC-based kubeconfig downloaded from the KKP dashboard just fine. As a example from the error above: Accessing the list of nodes (and any other resources) works via kubectl, but not via the Kubernetes Dashboard (proxy). The dashboard stays empty.

Expected behavior

OIDC access via kubectl / kubeconfig or Kubernetes Dashboard based access should be consistent, my users should have access to the same resources via the Kubernetes Dashboard just based on group permissions.

How to reproduce

  1. Sign into KKP (e.g. dev) with an OIDC provider that has groups. In our example, GitHub. Make sure the setup supports OIDC for user clusters.
  2. Create a user cluster, enable Kubernetes Dashboard during the setup. Wait for the user cluster to finish deploying.
  3. Go to "RBAC" tab at the bottom, switch to "User". Remove the entry for your own user.
  4. Download kubeconfig from "Get Kubeconfig", verify with e.g. kubectl get nodes that you no longer have permissions.
  5. Go back to "RBAC", switch to "Group". Add a binding for a OIDC group that your user is part of (don't forget to add the oidc: prefix; an example is oidc:kubermatic:development). Chose cluster-admin as role for simplicity.
  6. Verify with the previously downloaded kubeconfig that your user is allowed to run kubectl get nodes again.
  7. Click "Open Dashboard". Sign in with the same identity provider. Observe errors from the bell icon on the top right, and click "Nodes" from the left side menu to see that you cannot access nodes (or any other resource) from the dashboard.

Environment

  • UI Version: v2.24.0-beta.1 (but also found on 2.23)
  • API Version: v2.24.0-beta.1 (but also found on 2.23)
  • Domain: -
  • Others: -

Current workaround

Add user-based RBAC bindings for each user.

Affected user persona

Developers given access to user clusters

Business goal to be improved

Metric to be improved

embik avatar Oct 30 '23 12:10 embik

As a note, I was debugging this briefly with a Kubermatic partner, and we saw the groups included in the OIDC token used by the Kubernetes Dashboard. It was therefore not clear to us why groups were seemingly ignored.

embik avatar Oct 30 '23 12:10 embik

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kubermatic-bot avatar Mar 14 '24 12:03 kubermatic-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

kubermatic-bot avatar Apr 14 '24 00:04 kubermatic-bot

/remove-lifecycle rotten

embik avatar Apr 14 '24 08:04 embik

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kubermatic-bot avatar Jul 13 '24 14:07 kubermatic-bot

/remove-lifecycle stale

embik avatar Jul 15 '24 06:07 embik