Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC cluster/rolebinding created without subjects and SA namespace check #129265

Open
astraw99 opened this issue Dec 18, 2024 · 2 comments · May be fixed by #129267
Open

RBAC cluster/rolebinding created without subjects and SA namespace check #129265

astraw99 opened this issue Dec 18, 2024 · 2 comments · May be fixed by #129267
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@astraw99
Copy link
Member

astraw99 commented Dec 18, 2024
edited
Loading

What happened?

When creating RBAC rolebinding and clusterrolebinding with subjects ServiceAccount, there is no subjects empty check and namespace empty check.

What did you expect to happen?

Shoud check both subjects empty and namespace empty.

How can we reproduce it (as minimally and precisely as possible)?

rolebinding-test.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rb-test
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-test
#subjects: # subjects is required
#- kind: ServiceAccount
#  name: sa-test
#  namespace: default # namespace is required

clusterrolebinding-test.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: crb-test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-test
#subjects: # subjects is required
#- kind: ServiceAccount
#  name: sa-test
#  namespace: default # namespace is required

kubectl apply -f xxx.yaml will reproduce this issue.

Anything else we need to know?

Issue tested in 1.31.

Kubernetes version

1.31
@astraw99 astraw99 added the kind/bug Categorizes issue or PR as related to a bug. label Dec 18, 2024
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 18, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@astraw99
Copy link
Member Author

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 18, 2024
@github-project-automation github-project-automation bot moved this to Needs Triage in SIG Auth Dec 18, 2024
@astraw99 astraw99 linked a pull request Dec 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
SIG Auth
Status: Needs Triage
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix RBAC cluster/rolebinding subjects and SA namespace empty check astraw99/kubernetes
2 participants
@k8s-ci-robot @astraw99