How to debug ABAC to RBAC transition on Kubernetes GKE cluster?

Question

How to debug ABAC to RBAC transition on Kubernetes GKE cluster?

Where does GKE log RBAC permission events?

On Google Container Engine (GKE) clusters with kubernetes v1.6, RBAC authorization is enabled by default. Apparently ABAC is included as a fallback permission and also to facilitate the transition of existing clusters to the new authorization scheme. The idea is that the first RBAC tries to resolve the action. If that fails, it must be logged somewhere and then using ABAC to allow the action. This should allow cluster administrators to check the logs for skipped RBAC permissions before permanently disabling ABAC.

We have several clusters that disallow GCP logging / monitoring, use their own ELK stack instead. Just to make sure I created a test cluster with cloud logging and cloud protocol monitoring, but you can still find any RBAC events anywhere. The test block is a prometheus server that detects and scratches other pods and nodes.

+3

rbac abac google-container-engine kubernetes

Johannes May 11 '17 at 9:39

source to share

2 answers

RBAC deviations are logged in the master apiserver log.

+3

Jordan liggitt May 11 '17 at 15:07

source to share

jayme · Accepted Answer · 2017-05-12T09:30:30+0000

Make it more complete. From Using RBAC Authorization :

When running with log level 2 or higher (--v = 2), you can see RBAC failures in the apiserver log (prefixed with RBAC DENY :).

In GKE, apiservers logs can be accessed over HTTP, for example:

kubectl proxy &
curl -s http://localhost:8001/logs/kube-apiserver.log

How to debug ABAC to RBAC transition on Kubernetes GKE cluster?

More articles: