kubernetes: admission chain is given authorizer that doesn't include superuser fallback

What happened?

I created a v1.21.5 cluster. After I deleted the default cluster-admin clusterrolebinding with group "system:masters", I failed to approve a pending csr with “kubectl certificate approve csr” and get the following error Error from server (Forbidden): certificatesigningrequests.certificates.k8s.io “csr-abcdefg” is forbidden: user not permitted to approve requests with signerName “kubernetes.io/kubelet-serving”

What did you expect to happen?

the clusterrolebinding is not needed for the system:masters group to have superuser permissions, delete the clusterrolebinding shouldn’t cause loss of permissions for the system:masters group

How can we reproduce it (as minimally and precisely as possible)?

  • Create a cluster
  • kubectl delete clusterrolebinding cluster-admin
  • Create a csr in the cluster
  • Try to approve that csr with kubectl certificate approve

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
v1.21.5

Cloud provider

vmware

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, …) and versions (if applicable)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 24 (18 by maintainers)

Most upvoted comments

No, I am busy recently. Please go ahead and take it if you are interested 😀

+1
jlsong01 on Jul 21, 2022
Read more comments on GitHub
← kubernetes: Adding an already deleted node port to service shows already acquired error
kubernetes: Admission controller fails on timeout when failurePolicy set to Ignore →