Hi Nicolas,
Thanks for looking into this issue and solve it!
It looks to me that the second is more elegant.
BR,
Huabing
原始邮件
发件人: <[email protected]>;
收件人: <[email protected]>; <[email protected]>;赵化冰10201488;
日 期 :2018年02月02日 03:01
主 题 :RE: [OOM][MSB] Kube2MSB RBAC security issues
Hi Michael , Huabing
Here is the reason why Kube2MSB failed in RBAC enabled cluster.
The kube2MSB will use the token from service account kube-system:default. This
service account doesn’t have the admin privileges.
To fix that issue there are 2 ways
1. Create a clusterrolebinding assign admin privileges to that service
account
Just run following command:
kubectl create clusterrolebinding kube-system-default-admin-binding
--clusterrole=cluster-admin --serviceaccount=kube-system:default
This command should execute once. Should we put it in
createConfig.sh ?
2. Instead of using token from service account kube-system:default,
kube2msb can use the token form service account onap-kube2msb:default .
In createAll.bash the ClusterRoleBinding is created for onap-kube2msb:default.
So that account already get the admin privileges.
Change the kube-system to $1-$2
87 # assign default auth token
88 if [[ -z $ONAP_DEFAULT_AUTH_TOKEN ]]; then
89 DEFAULT_SECRET=`kubectl get secrets -n kube-system | grep
default-token | awk '{ print $1}'`
90 ONAP_DEFAULT_AUTH_TOKEN=`kubectl get secrets $DEFAULT_SECRET -n
kube-system -o yaml | grep 'token:' | awk '{ print $2}' | base64 --decode`
91 fi
92
93 cmd=`echo helm install $LOCATION/$2/ --name $1-$2 --namespace $1 --set
nsPrefix=$1,nodePortPrefix=$3,kubeMasterAuthToken=$ONAP_DEFAULT_AUTH_TOKEN
${HELM_VALUES_ADDITION}`
94 eval ${cmd}
95 check_return_code $cmd
Thanks,
Nicolas
[centos@server-186-kubernetes-master-host-8z2tnf robot]$ kubectl get
ClusterRoleBinding onap-kube2msb-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: 2018-01-30T20:18:49Z
name: onap-kube2msb-admin-binding
resourceVersion: "159146"
selfLink:
/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/onap-kube2msb-admin-binding
uid: c838ff8d-05fa-11e8-bad9-fa163efe5022
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: onap-kube2msb
From: [email protected]
[mailto:[email protected]] On Behalf Of HU, JUN NICOLAS
Sent: Wednesday, January 31, 2018 12:06 PM
To: OBRIEN, FRANK MICHAEL <[email protected]>;
[email protected]
Subject: [onap-discuss] [OOM][MSB] Kube2MSB RBAC security issues
***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.
Hi,
I created https://jira.onap.org/browse/OOM-645.
The Kube2MSB cannot access the apis of pods and services.
Thanks,
Nicolas_______________________________________________
onap-discuss mailing list
[email protected]
https://lists.onap.org/mailman/listinfo/onap-discuss
