capsule: tenant owner can't impersonate a namespace admin

Bug description

The tenant owner Alice can’t impersonate the namespace admin Joe assigned by her. Only Cluster Admin can do this as of now.

How to reproduce

By following the docs, the tenant owner Alice assign Joe as the namespace admin:

export KUBECONFIG=alice-oil.kubeconfig

kubectl apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
  name: oil-development:admin
  namespace: oil-development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: joe
EOF

But she can’t impersonate Joe:

kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-development
Error from server (Forbidden): users "joe" is forbidden: User "alice" cannot impersonate resource "users" in API group "" at the cluster scope

And only Cluster admin can.

unset KUBECONFIG
kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-development
yes
kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-production
no

Expected behavior

The tenant owner should be able to act like a Cluster Admin within the assigned tenant.

Additional context

  • Capsule version: v0.1.0
  • Kubernetes version: v1.21.2

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (14 by maintainers)

Most upvoted comments

If Alice will have permissions to impersonate Joe, will she be able to access gas-bar namespace?

Hadn’t tested yet, it seems doable, tho, and this confirms my concerns regarding the privilege esclation.

I think we have to investigate addressing this on capsule-proxy if we don’t have any other option.

+1
prometherion on Sep 23, 2021
Read more comments on GitHub
← capsule: Error applying new CRD version from v0.1.0 helm chart
chrono: Pychrono tutorials do not succeed →