Hawtio online: RBAC not working

[midhunweb]

The viewer role in hawtio online is not working. The pods are not identified(403 unauthorized) when I login as a user with the viewer role. But the admin role is working. Is there something I am missing?

[Abhilash-as]

When logged in using newly created service account with viewer role the containers name are not listing while the same time user with admin role can see the list of pods. When checked in developer options its showing like 403 forbidden. User not authorized

What might be the reason for this?

While logging in with viewer role

While logging with admin role

[tadayosi]

Hi, what's the result of the following command?

kubectl auth can-i get pods/<pod name> --as <viewer user>

It should at least return yes so that the given user is recognised as viewer role for Hawtio Online.

[midhunweb]

Hi, what's the result of the following command?

kubectl auth can-i get pods/<pod name> --as <viewer user>

It should at least return yes so that the given user is recognised as viewer role for Hawtio Online.

I am getting no for both admin and viewer users. I tried both get and update.

[tadayosi]

OK, then lets give them permissions accordingly so that they are recognised as veiwer and admin each for Hawtio Online.
https://hawt.io/docs/online/rbac/

[Abhilash-as]

Thanks for the help
That issue fixed
But getting a login pop up while connecting to container. The user with cluster-admin role is able to connect to pods and view details. but other users with role we created are not able to connect to pod.

[tadayosi]

What about this role?

kubectl create role hawtio-viewer --verb=get,list,watch --resource=pods

or if you are using cluster mode:

kubectl create clusterrole hawtio-viewer --verb=get,list,watch --resource=pods

[midhunweb]

I went through all the steps mentioned above.
Created a new role: hawtio-viewer
Created user and role binding.
When I login to hawtio online, I can see the pods but cannot connect to them.

Note: The cluster admin role doesn't have this issue. It can connect to the pods directly.

[tadayosi]

Hmm, I'll take a closer look.

[midhunweb]

Thanks for your help and support. It will be good if you can find a solution for this issue.

[tadayosi]

Hi @midhunweb,

Turned out there is one more permission required for a viewer role, which is create for authorization.k8s.io/localsubjectaccessreviews. Please create a viewer role as follows:

$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: hawtio-viewer
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - localsubjectaccessreviews
  verbs:
  - create
EOF

We'll document this somewhere later. Thank you for raising the issue.

[midhunweb]

Thank you so much for your help, it is working now.

[github-actions]

This issue has been automatically marked as stale due to a year of inactivity.
It will be closed if no further activity occurs within 14 days.
If you think that’s incorrect or the issue should never stale, please simply write any comment.
Thanks for your contributions!

[tadayosi]

Let's keep it open until we improve documentation.