Would you mind adding an index.yml for the helm chart? so that we can use it directly in the helm. I can help if you like the idea.

I'm using Google OpenID for cluster authentication and the email claim as the username.
So the subject name in my role bindings is the user email address and the UI blocks me from inputting @ in the user name input field.

While working on #81,

I saw we are using statik to embed files in the resulting binary (frontend). In the #81 we are updating the golang version to 1.16. This version includes a native golang feature to embed files.

Changing from statik to native golang way:

• Makes it easier to maintain the project
• Makes it easier to automate stuff
• Makes it easier to develop locally.

Permission Manager uses React FavIcon instead of a custom one. Would be nice to have a custom favicon to differentiate the tab.

To be discussed if in scope or not for the tool, but with @ralgozino we were thinking about using permission manager to generate OpenVPN certs and manage the CRL, given an intermediate certificate signed by the root CA.

When you upgrade permission manager from 1.5.1 to 1.6.0, the kubeconfig stops using certificates and starts using tokens, but if you download the new kubeconfig you get permission denied for all actions.

Going to the user and clicking the save button, re-applies the permissions.

We don't know the root cause yet, but this migration should be automated or at least documented in the release notes.

When I make helm chart, I always get error:

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
{"time":"2020-06-09T12:11:22.343530878Z","level":"FATAL","prefix":"echo","file":"run-server.go","line":"17","message":"listen tcp: address tcp/4000\n: unknown port"}

I solved this manually:

1. Made a namespace,
2. Applied filled secret,
3. Applied my Helm Chart.

Unfortunately, this worked only one time. I am not able to install it again.

This is anusual behavior for helm, can you fix it please? Secret should be part of the Helm Chart.

Hello

Looks like permission-mamanher is not supporing newer Kubernetes versions. Tried to install it on 1.22 and was getting following errors:
kubectl apply -f https://github.com/sighupio/permission-manager/releases/download/v1.7.0-rc3/crd.yml
error: unable to recognize "https://github.com/sighupio/permission-manager/releases/download/v1.7.0-rc3/crd.yml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1"

kubectl apply -f https://github.com/sighupio/permission-manager/releases/download/v1.7.0-rc3/deploy.yml
service/permission-manager created
deployment.apps/permission-manager created
serviceaccount/permission-manager created
clusterrole.rbac.authorization.k8s.io/permission-manager created
error: unable to recognize "https://github.com/sighupio/permission-manager/releases/download/v1.7.0-rc3/deploy.yml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"

Is this something we could have any time soon?
Thanks!

Hi,

After performing the steps described on the installation page, i get Restricted access when trying to log in.
Tried to change the password several times, but without luck.

Any thoughts would be greatly appreciated.

Thanks

Using 1.7.0-rc1:
Whatever role I'm setting for my users it shows developer role in UI, but I'm checking the rolebinding inside the cluster and it binds the right clusterrole (e.g. template-namespaced-resources___operation). this behavior exists for custom templates as well as for templates added from seeds.yaml

The generated kubeconfig doesn't have a namespace set in the context.

If the user doesn't have access the default namespace then they get access denied unless they specify namespace.

Can we have an option to set the namespace in the generated kubeconfig?

While working on #81,

I found that the tests executed during the pipeline (e2e) are different from the tests you can execute locally (e2e).
One is based on bats and tests only the API, on the other side, the local e2e opens a cypress window to tests e2e in a browser.

This is something we have to align

when trying (by mistake) to add an user with a name which already exists as rolebinding, it will crash with no explanation. i have had previously created a ServiceAccount/Role/RoleBinding using standard k8 yaml.

Hello how can i make modification in generates bindings?

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-10-19T13:51:31Z"
  labels:
    generated_for_user: username
  name: username___template-namespaced-resources___test___monitoring
  namespace: monitoring
  resourceVersion: "62934390"
  uid: 2b36d436-0b65-493c-822a-45d44d98352f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: template-namespaced-resources___test
subjects:
- kind: ServiceAccount
  name: username
  namespace: permission-manager

i need to have possibility add group which will based on username

- apiGroup: rbac.authorization.k8s.io
  kind: Group or User
  name: username

User "student1" created without errors.

ClusterRole-----<>ClusterRoleBinding
both are exist

ubectl describe clusterRoleBinding/student1___template-cluster-resources___read-only
Name:         student1___template-cluster-resources___read-only
Labels:       generated_for_user=
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  template-cluster-resources___read-only
Subjects:
  Kind  Name      Namespace
  ----  ----      ---------
  User  student1  

Any commands are return next error message:

kubectl --kubeconfig=/home/user/.kube/config-student1 get nodes

output

Please enter Username:

[root@master01 kubernetes]# kubectl describe pod -n permission-manager
Warning FailedCreatePodSandBox 20s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "e3bad963c494ae17bcb007fa366cd47ca6a03026fec11cedc7a2bb17311f334d" network for pod "permission-manager-7cd5f4f6b8-5rzx4": networkPlugin cni failed to set up pod "permission-manager-7cd5f4f6b8-5rzx4_permission-manager" network: error getting ClusterInformation: Get https://[10.255.0.1]:443/apis/crd.projectcalico.org/v1/clusterinformations/default: x509: cannot validate certificate for 10.255.0.1 because it doesn't contain any IP SANs, failed to clean up sandbox container "e3bad963c494ae17bcb007fa366cd47ca6a03026fec11cedc7a2bb17311f334d" network for pod "permission-manager-7cd5f4f6b8-5rzx4": networkPlugin cni failed to teardown pod "permission-manager-7cd5f4f6b8-5rzx4_permission-manager" network: error getting ClusterInformation: Get https://[10.255.0.1]:443/apis/crd.projectcalico.org/v1/clusterinformations/default: x509: cannot validate certificate for 10.255.0.1 because it doesn't contain any IP SANs]

How to deal with it ？

After update from v1.6.0 to 1.7.1-rc1 the value fro the key certificate-authority-data in kubeconfig are missing for new created user and old users too.

In Azure AKS users can have access granted by either by their AD group membership, or directly using AD user ID. It would be extremely useful, if user access management could be done using permission-manager.

In order to achieve it, it would be necessary to allow different kind of subjects for both clusterrolebinding and rolebinding.
This is an example of clusterrolebinding used for assigning RBAC to AD group:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: id-redacted

Similarly kind: User can be used to grant a specific user access to Kubernetes using RBAC.
Ideally, web interface should allow creation of different kind of subjects and used created subjects for access grants.

Best practices to upgrade from one RC to another? Nothing in the documentation so far.

Hello,

E2E tests right now use a static version of permission manager, loaded from the deployment files. This causes several issues:
a) requires a version change to make tests effective
b) it forces you to alter deployment file temporarily
c) it renders very hard to do e2e local testing/impossible

Proposed solution: Tests should deploy a locally built temporary image of permission manager.
This could be done either by using kustomize patches on the deployment folder or by opening a new folder with the tests manifests.

It looks like you can't authenticate on k8s dashboard using the k8s kubeconfig generated by permission manager. How do you get the token to also use the kubernetes dashboard?

I was in need to create access rights for user to read resources in only one specific namespace.
So I created ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___readonly
rules:
- apiGroups:
  - '*'
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - pods/log
  - pods/portforward
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - secrets
  - services
  - events
  - daemonsets
  - deployments
  - replicasets
  - ingresses
  - networkpolicies
  - poddisruptionbudgets
  - statefulsets
  - tlsstores
  - middlewares
  verbs:
  - get
  - list
  - watch

Despite granted access rights works, and user can read needed resources, the grunted rights not shown in UI poperly.

Its same for v1.6 and 1.7.1-rc1

Choosing a cluster resources permission in a user configuration different than None, doesn't reflect in the UI after a relod of the page, for example going back to the root and entering to see the user details again.

The radio-button is always in None

Steps to reproduce:

1. create a new user and select "READ-ONLY" for cluster resources and save it.
2. go back to permission manager's root
3. open again the user, you should see READ-ONLY selected but the radio button remains in None.

This behaviour is present at least in 1.5.1, 1.6.0 and 1.7.0-rc3

can you please make the context name to be username@clustername instead of clustername as is now? this would be useful for admins which are testing many users on the same cluster.

it seems to be a small change in internal/kubeconfig/create-kubeconfig.go, something like

--- a/internal/kubeconfig/create-kubeconfig.go
+++ b/internal/kubeconfig/create-kubeconfig.go
@@ -35,7 +35,7 @@ users:
user:
client-certificate-data: %s
client-key-data: %s`,

•           clusterName, clusterName, clusterControlPlaceAddress, caBasebase64, clusterName, username, clusterName, username, crtBase64, privateKeyBase64)
  

•           clusterName, clusterName, clusterControlPlaceAddress, caBasebase64, clusterName, username, username+"@"+clusterName, username, crtBase64, privateKeyBase64)
  
    return kubeconfigYAML
  

}

Is there a way that even though the user is only granted full access to some namespaces, the user still can see the metrics from Lens app? Because the user can't see the namespaces resources this way.

Currently (if I am not entirely wrong) permission-manager supports namespaced role-templates. For clusterwide resource-access, there are only three roles (none, read-only, read-write) for all resources available.

I would very much appreciate to be able to define custom roles for cluster-resource-access and to assign them in the web-ui.

PS: Currently, every user needs to have a namespaced role. With this FR it might need to be possible to have a user with only clusterroles

Hi,

I would ask if the web can server under path, for example, http://xxxx/permission-manager?

Thanks
Nan,

I tried with AKS, it works well. When I try with EKS, this approach failed due to IAM based authentication. Any workaround?

I've created users with operation/all-namespaces/read-write permissions.
When I merge into my existing /config:
k get pods
error: You must be logged in to the server (Unauthorized)

k version
error: You must be logged in to the server (the server has asked for the client to provide credentials)

When I point to generated kube config saved to a file, and k version:
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")

ClusterRoleBinding object is deprecated from rbac.authorization.k8s.io/v1beta1 in the latest versions of Kubernetes. We should document this

thanks for the new release! how do we upgrade from 1.5.0 to 1.6.0?

Hi
Using k8s 1.8

Am able to create a user and save unless you choose all namespaces then get pacman
Once user is created chose to show kubeconfig file and just get loading screen

I have created 2 users: test and test2
if I delete test2 user everything is ok and test user is still available
if I delete test user, test2 user is gone from cluster but still it's showing in permission manager and if I click on username in permission manager application hangs. I've created rolebinding manually in order to bring back user and make application work again.

Same behavior was for 2+ users with the following names:
user
user-dev
user-test
user-staging
user-prod
I deleted user and all other users(rb,sa) were deleted from cluster but they still exist in permission-manager and when I click on one of them the app hangs.

First of all, thanks to the producers. This tool is what we need most now

I don't know what this function is, I don't understand

This copy button doesn't work in my Chrome browser

When creating a new user in Permission Manager, the username field suggests as an example Jane Doe, but if you write that you get an error message saying that the username is not valid:

Hello,
Thanks for this great project!

Would it be possible to have an OAuth login page?
And different users:

• if it's an admin user have the possibility to create/delete accounts.
• Otherwise only have the possibility to download its own kubeconfig file?

The ClusterRole template-namespaced-resources___operation can login onto any node as root directly using k8s api's.
i know is something it can do due to the use of the API, but i would suggest to notify user of the chance inside the readme.

I can see the chart in the source but it does not appear to be published anywhere.
I tried https://sighupio.github.io for your chart repo as a test with no dice.

Do you have plans to publish it out and document it?

First of all thanks for creating this tool it really helps a lot!

I'm wondering why will "kube" Namespaces be excluded from the overview, i guess for security reasons ?

Can we provide an option to show namespaces starting with "kube" so rolebindings can be set also for this namespace?
Maybe a configuration variable during setup or a checkbox in the UI ?

Thanks!

Looking at https://quay.io/repository/sighup/permission-manager?tab=tags I've found that two tags of the permission-manager image exists at the moment: 1.5.0 and 1.6.0-dev.
However, looking at the git repository it is not clear to which git commit hashes these versions corresponds.

I must admit that I haven't looked too much in depth into the content of the images to see whether there is any metadata allowing to related these to the git commits hash, but it would be cool having tags of the Docker image corresponding to tags in the git repository in order to ease the version of the application and issues troubleshooting.

Using v1.16.0
There is a bug when creating users with same prefix. Steps to reproduce:

1. create user with name test in namespace1 with operator role
2. create user with name test2 in namespace2 or namespace1 with operator/developer role
3. edit user test and you will see namespace2 with appropriate role has been added to test user. if you try to delete that role, and then open test2 user application hangs and no test2 user/rolebinding exists in cluster

Hi, I just deployed permission-manager on k8s infra version 1.17.4
I followed the installation guide to define the cluster_name, control plane address, and the password.

The deployment succeeds and i am able to access the application via the UI. However, I see no users listed (even though we already use some) and i cannot create any new ones from the UI.

I checked the logs of the pod and I think we may have a problem:

Hello,
Is there possibility to have any integrations with LDAP with the tool.
That would be a killer feature for us.

Hi,

First of all very pleased with permission-manager.
Just started using/discovering the tool and ran into an issue.
I'm:

• using master (1.7.0-rc2).
• creating a user having read-only access to non-namespaced resources and developers access to all namespaces.

After creation I go back to review the user config and the radio-buttons for the non-namespace resources do not show the previously created settings.

This might only be a cosmetic issue, but it is slightly confusing .

Next, and this the real issue, it seems that while creating cluster-rolebindings the systems prepends the clusterrole name with user-name (testdev1___template-cluster-resources___read-only):

While the created cluster-role has a different name (template-cluster-resources___read-only):

This causes the cluster-role failing.

Can you have a look?
Thnx in advance

Hi,

We're ran into an issue on a cluster running kubernetes 1.18.1. When we try and create a user in permission manager the client-certificate-data field is empty.

Looking into the container logs when a user is created, we see the following error:

2020/04/23 16:10:18 Failed to approve CSR: CSR_FOR_octopus2020-04-23 16:10:18.321584926 +0000 UTC m=+120.763289690
certificatesigningrequests.certificates.k8s.io "CSR_FOR_octopus2020-04-23 16:10:18.321584926 +0000 UTC m=+120.763289690" is forbidden: user not permitted to approve requests with signerName "kubernetes.io/legacy-unknown"
2020/04/23 16:11:09 Failed to retry get approved CSR

This looks to be down to breaking changes in kubernetes 1.18.

I was able to resolve it by editing the seed.yml and updated the cluster role for permission manager to add the signers resource:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: permission-manager-cluster-role
rules:
  - apiGroups:
      - "*"
    resources:
      - "permissionmanagerusers"
      - "clusterrolebindings"
      - "clusterroles"
      - "rolebindings"
      - "roles"
      - "certificatesigningrequests"
      - "certificatesigningrequests/approval"
      - "signers"
    verbs:
      - "*"

  - apiGroups:
      - ""
    resources:
      - "namespaces"
    verbs: ["get", "list"]

Hi, I managed to deploy your app and created several users. I then noticed that the server address in the kube config file pointed to the internal address of the api-server as I configured that in the beginning. I then changed the address to my external api-server loadbalancer address and now the app is stuck on ...loading when trying to list the available users. I try to change the address back to the internal address but I can't get the app to load the user list. It hangs for a while and then dies.

Any ideas? There is nothing in the log. I've tried to restart the pod several times now.

按组来划分权限？

Hello, I am learning Kubernetes.

After deployment to

http://localhost:4000

I have a problem to login.

First I tried to login with user : admin and password : password, but this do not working.

Here is my configuration :

- name: BASIC_AUTH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: auth-password-secret
                  key: password

And how can I change this password ?

Thanks for any help.

k8s: v1.22.2
permission-manager: v1.7.1-rc1

Error process:

1. Create a user and give rights to namespace
2. Remove namespace
3. Open the user for editing
4. The endless process of "... loading" and the out of memory error

Found error correction process:

1. Remove CustomResourceDefinitions
2. Create user again