Role/ClusterRole creation doesn't cross authorizers nicely

[cjcullen]

In order to create an RBAC role, I need to have all of the permissions that exist in the role, through RBAC. It doesn't matter If I have all the permissions through another authorizer.

On GKE, for example, if I want to use my Google identity to create a role, I first have to create an RBAC RoleBinding giving myself the cluster-admin role, even if I am the owner of the project that has the GKE cluster.

We should authorize role creation in a way that allows "super users" from other authorizers to use RBAC.

[liggitt]

Cc @kubernetes/sig-auth-feature-requests

As a workaround, a GKE cluster admin can grant themselves RBAC permissions first:

kubectl create clusterrolebinding i-am-root --clusterrole=cluster-admin --user=<myusername>

[ericchiang]

Another check like this? #39383

[cjcullen]

I was thinking something similar to that.

Strawman:
To see if a user should be able to create/update a clusterRole:
Check "clusterRoleBindings" "bind" on the root of the cluster.
To see if a user should be able to create/update a role:
Check "roleBindings" "bind" on the whole namespace.

If you can bind to any existing role/clusterRole, then you can create/update roles/clusterRoles.

I think this is reasonable if you assume there is always a superuser role in every context. It might fall over if you consider a namespace that only has some low privilege roles that you are now able to escalate.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[liggitt]

/lifecycle frozen