Magnum

k8s_fedora: Kubernetes dashboard service account must not have any permissions

  1. Series queens
  2. Bug #1766284
Bug #1766284 reported by Spyros Trigazis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Status tracked in Rocky
Queens
Fix Committed
Critical
Feilong Wang
Rocky
Fix Released
Critical
Spyros Trigazis

Bug Description

When logging in to the kubernetes dashboard if you click skip, the dashboard will use the kubernetes-dashboard service account. This means, that anyone can login to the dashboard with the this service account. By default, this account doesn't have any permissions. In the k8s_fedora service account we give it the cluster role, meaning admin access to the cluster (fortunately, by default the dashboard is only accessible from inside). We need to create an admin account and the admin user can login with that one.
https://github.com/kubernetes/dashboard/wiki/Creating-sample-user

Spyros Trigazis (strigazi)
Changed in magnum:
importance: Undecided → Critical
assignee: nobody → Spyros Trigazis (strigazi)
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/563676

Changed in magnum:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/563679

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/563676
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=91d5229b9c0e083cae60a8dc3e546145a82c7f93
Submitter: Zuul
Branch: master

commit 91d5229b9c0e083cae60a8dc3e546145a82c7f93
Author: Spyros Trigazis <email address hidden>
Date: Wed Apr 25 12:22:43 2018 +0000

    k8s_fedora: Add admin user

    Add an admin service account and give it the
    cluster role. It can be used for access apps
    with token authentication like the
    kubernetes-dashboard.

    Remove the cluster role from the dashboard service account.

    Change-Id: I7980c0e72b0d71921e42af7338d02b8a1e563c34
    Closes-Bug: #1766284

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/563679
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=b8f6261f44e0f7bfcb04ffb6af6c16c041eb8dcd
Submitter: Zuul
Branch: stable/queens

commit b8f6261f44e0f7bfcb04ffb6af6c16c041eb8dcd
Author: Spyros Trigazis <email address hidden>
Date: Wed Apr 25 12:22:43 2018 +0000

    k8s_fedora: Add admin user

    Add an admin service account and give it the
    cluster role. It can be used for access apps
    with token authentication like the
    kubernetes-dashboard.

    Remove the cluster role from the dashboard service account.

    Change-Id: I7980c0e72b0d71921e42af7338d02b8a1e563c34
    Closes-Bug: #1766284
    (cherry picked from commit 91d5229b9c0e083cae60a8dc3e546145a82c7f93)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 6.1.1

This issue was fixed in the openstack/magnum 6.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 7.0.0

This issue was fixed in the openstack/magnum 7.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.