diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh index 39b8a1b6da..b77b85f000 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh @@ -45,3 +45,31 @@ subjects: kind: User name: kubernetes EOF + +# Create an admin user and give it the cluster role. +ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml + +[ -f ${ADMIN_RBAC} ] || { + echo "Writing File: $ADMIN_RBAC" + mkdir -p $(dirname ${ADMIN_RBAC}) + cat << EOF > ${ADMIN_RBAC} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin + namespace: kube-system +EOF +} diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh index 67bcd77499..03149d7058 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh @@ -196,23 +196,6 @@ spec: targetPort: 8443 selector: k8s-app: kubernetes-dashboard ---- -# Grant admin privileges to the dashboard serviceacount - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: kubernetes-dashboard - labels: - k8s-app: kubernetes-dashboard -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kubernetes-dashboard - namespace: kube-system EOF } diff --git a/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml b/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml new file mode 100644 index 0000000000..9049df0035 --- /dev/null +++ b/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + k8s_fedora Remove cluster role from the kubernetes-dashboard account. When + accessing the dashboard and skip authentication, users login with the + kunernetes-dashboard service account, if that service account has the + cluster role, users have admin access without authentication. Create an + admin service account for this use case and others.