RBAC persistent volumes is not working with namespaces

[zetaab]

BUG REPORT

Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"5+", GitVersion:"v1.5.1-3+10e41f22e4421c", GitCommit:"10e41f22e4421c9a14e9e6782c6375c199a07a86", GitTreeState:"clean", BuildDate:"2016-12-15T10:06:44Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: openstack
• OS (e.g. from /etc/os-release): centos7
• Kernel (e.g. uname -a): 3.10.0-327.36.3.el7.x86_64

What happened: We have enabled RBAC authentication. We have two different rolebindings:

apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-custom
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system
- kind: User
  name: kubelet
  namespace: kube-system
- kind: User
  name: clusteradmin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

and

apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: RoleBinding
metadata:
  name: default-admin
  namespace: default
subjects:
- kind: ServiceAccount
  name: default
- kind: User
  name: defaultadmin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

So we have two different users: clusteradmin, which have access to everything in kube cluster and defaultadmin, which should have access to all resources in default namespace. Executing PV commands with clusteradmin works fine, when using defaultadmin in default namespace it gives error:

kubectl get pv
Error from server (Forbidden): the server does not allow access to the requested resource (get persistentvolumes)

Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)

What you expected to happen: defaultadmin should have access to PV resources in defined (in my case default) namespace, because cluster-admin clusterrole says following:

- apiGroups:
  - '*'
  attributeRestrictions: null
  resources:
  - '*'
  verbs:
  - '*'
- attributeRestrictions: null
  nonResourceURLs:
  - '*'
  verbs:
  - '*'

The important thing here is resources *, but it feels like PV is not part of wildcard.

How to reproduce it (as minimally and precisely as possible):

• enable RBAC
• create two users, clusteradmin and defaultadmin
• add clusterrolebinding and rolebinding which was mentioned earlier in this bug ticket
• execute PV commands in default namespace with both users

[Amit-PivotalLabs]

I'm having a similar issue, where I have a few namespaces including dev and default. As a "dev user" I can create a bunch of resources in the dev namespace, including a PVC, but creating the PV as the "dev user" in the dev namespace results in the same error as above:

Error from server (Forbidden): error when creating "db-pv.yaml": the server does not allow access to the requested resource (post persistentvolumes)

I can create the PV as the admin user in the default namespace, and then everything is fine.

[rsuniev]

PV's are not connected to a namespace

[liggitt]

PVs are cluster-scoped objects. They do not exist in a namespace. To get permission to use the PV API with RBAC you need a ClusterRole bound at the cluster scope with a ClusterRoleBinding.