Why Isn’t the AlwaysDeny Authorization Mode Working as Expected in Kubernetes?

By
Paul Asanka
-
0
16
Asked By CuriousCat123 On

Hey everyone! I'm diving deep into Kubernetes again, preparing for my certification, and I've set up a simple cluster with kubeadm—one master node and two workers. I haven't modified any core config files.

I was experimenting with the kube-apiserver's authorization modes and came across 'AlwaysDeny' and 'AlwaysAllow'. The idea is that 'AlwaysDeny' should prevent any requests, while 'AlwaysAllow' should permit them. I started the kube-apiserver with the command-line options:

--authorization-mode=Node,AlwaysDeny,RBAC,AlwaysAllow

Since I haven't set up RBAC roles or bindings, I expected 'AlwaysDeny' to reject requests even with a valid token. However, when I made an API call like 'curl -H 'Authorization: Bearer token' http://ip:6443/api/v1/pods', it let me through and listed all the pods.

Without 'AlwaysAllow', it correctly denied the requests like I anticipated. I also checked the Kubernetes source code and it seems that 'AlwaysDeny' returns a NoOpinion verdict, which confuses me. Why is 'AlwaysDeny' not functioning as I expected? How can I properly test it if it appears non-functional?

3 Answers

Answered By LearningLizard On

Hey, are you following a specific learning plan for Kubernetes? I find it interesting how everyone approaches this!

Answered By TechieTom89 On

It does seem weird that 'AlwaysDeny' doesn’t return an explicit deny. A few years back, they switched to a three-tier system—Allow/Deny/NoOpinion—so it’s likely more complex than before. This isn't something that usually affects real environments, since the 'AlwaysDeny' mode is not meant for production use. It’s basically there for testing, and in a live scenario, it wouldn't make sense to have an API that always denies requests.

Answered By DevGuy42 On

Right, so 'AlwaysDeny' not actually denying requests brings a bit of confusion. It returns NoOpinion, which lets Kubernetes check the next mode in the chain, like your 'AlwaysAllow'. If you’re trying to see how 'AlwaysDeny' behaves, consider running the apiserver with only 'AlwaysDeny' to see the effect directly.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.