Docker Community Forums

Share and learn in the Docker community.

Conversion of ClusterRole (from K8S) to Docker 2.0 EE


(Nicola Benaglia) #1

Due to the fact that Kubernetes’ RBAC is disabled in Docker 2.0 EE, I must create a role with the same permissions as described in this Kubernetes manifest:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch

From UCP graphical interface I create a role with “get,list,watch” for “services, endpoints,secrets, ingresses” but I still get error on some missing permissions:

E0530 08:24:23.481630 1 reflector.go:205] github–com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User “system:serviceaccount:traefik:traefik-ingress-controller” cannot list endpoints at the cluster scope: access denied
E0530 08:24:24.449718 1 reflector.go:205] github–com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User “system:serviceaccount:traefik:traefik-ingress-controller” cannot list ingresses.extensions at the cluster scope: access denied
E0530 08:24:24.465825 1 reflector.go:205] github–com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User “system:serviceaccount:traefik:traefik-ingress-controller” cannot list services at the cluster scope: access denied
E0530 08:24:24.499634 1 reflector.go:205] github–com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User “system:serviceaccount:traefik:traefik-ingress-controller” cannot list endpoints at the cluster scope: access denied

My questions are:

  • is there a way (may be a utility) to translate a K8S manifest to Docker and have them create with no effort? Through UI in UCP it is not so quick.
  • may you suggest me where are the missing permission defined? For example ingresses extensions?

Thank you in advance.


(David Maze) #2

The errors you’re getting sound like RBAC errors; https://docs.docker.com/ee/#kubernetes-support claims RBAC is fully supported.

If RBAC were in fact disabled, the right approach would be to not set up a ServiceAccount, ClusterRole, or ClusterRoleBinding, and create whatever Kubernetes resources with the default permissions.

At least in Docker for Mac (CE, Edge) there’s no “translate” – Kubernetes-in-Docker is Kubernetes, and you can use ordinary k8s manifests and commands like kubectl to interact with it normally.

What happens if you kubectl apply or otherwise load the ClusterRole you quoted?


(Nicola Benaglia) #3

When I tried to create a Role from kubectl I got this:

# kubectl create role my_role --verb=list --resource=pod
Error from server (NotFound): the server could not find the requested resource (post roles.rbac.authorization.k8s.io)

This source says Docker has its own RBAC and in consequence K8S’RBAC is disabled and not enabled:
https://docs.docker.com/ee/ucp/authorization/migrate-kubernetes-roles/

I quote the snippet about RBAC:

Docker EE has its own RBAC system that’s distinct from the Kubernetes system, so you can’t create any objects that are returned by the /apis/rbac.authorization.k8s.io endpoints. If the yaml for your Kubernetes app contains definitions for Role, ClusterRole, RoleBinding or ClusterRoleBinding objects, UCP returns an error.


(Christophe Lehy) #4

The examples provided explain how to create the equivalent of a Role and RoleBinding

Nothing regarding ClusterRole and ClusterROleBinding. I don;t know enough about RBAC in UCP and K8S to figure it out from the examples provided by the UCP doc. If someone has ideas, you are welcome!