Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

when you has a default kubeconfig ,using kubectl auth can-i --list --token still get the kubeconfig privielge #1657

Open
INT2ECALL opened this issue Sep 23, 2024 · 6 comments
Open

when you has a default kubeconfig ,using kubectl auth can-i --list --token still get the kubeconfig privielge #1657

INT2ECALL opened this issue Sep 23, 2024 · 6 comments
Labels
kind/support Categorizes issue or PR as a support question. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@INT2ECALL
Copy link

What would you like to be added:
if you are using command like this

kubectl --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN auth can-i --list

and you have a default kubeconfig in admin.conf,kubectl also will use the kubeconfig certdata but not use the token,i think if you use --token that mean you want to get is what the token priviege is not the kubeconfig

Why is this needed:
easy and fast to know the what the sa can do
@INT2ECALL INT2ECALL added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 23, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 23, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@INT2ECALL
Copy link
Author

INT2ECALL commented Sep 23, 2024
edited
Loading

what i am doing is do some fix in ToRESTConfig function in clientset.go

	if len(clientConfig.BearerToken) > 0 {
		clientConfig.TLSClientConfig.CAData = nil
		clientConfig.TLSClientConfig.KeyData = nil
	}

func (f *MatchVersionFlags) ToRESTConfig() (*rest.Config, error) {
if err := f.checkMatchingServerVersion(); err != nil {
return nil, err
}
clientConfig, err := f.Delegate.ToRESTConfig()

if len(clientConfig.BearerToken) > 0 {
	clientConfig.TLSClientConfig.CAData = nil
	clientConfig.TLSClientConfig.KeyData = nil
}

if err != nil {
	return nil, err
}
// TODO we should not have to do this.  It smacks of something going wrong.
setKubernetesDefaults(clientConfig)
return clientConfig, nil

}

@ardaguclu
Copy link
Member

First of all flags should not be located before the command. In that case;

kubectl auth can-i --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN **--list**

should be used like this.

and you have a default kubeconfig in admin.conf,kubectl also will use the kubeconfig certdata but not use the token,i think if you use --token that mean you want to get is what the token priviege is not the kubeconfig

Are you saying that when token is used, certdata in kubeconfig should be used?

@INT2ECALL
Copy link
Author

i mean ,when you use command

kubectl auth can-i --server=https://192.168.26.65:6443 --insecure-skip-tls-verify --token=$TOKEN **--list**

and if you have kubeconfig ,it also use kubeconfig,not use this token to auth apiserver

@ardaguclu
Copy link
Member

I think, running this command with -v=9 shed some light upon what happens.

@ardaguclu
Copy link
Member

/kind support
/remove-kind feature

@k8s-ci-robot k8s-ci-robot added kind/support Categorizes issue or PR as a support question. and removed kind/feature Categorizes issue or PR as related to a new feature. labels Dec 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ardaguclu @k8s-ci-robot @INT2ECALL