Protect Deployments from manual deletion

Question

We have an Azure-Kube.netes and use a helm chart to manage a list of deployments.

I would like to somehow block manual removal of the deployments. Deletion of the pods is fine, actually wanted to be able to "restart" the services inside to clean up cache and so on.

I'm sorry for the short question, am searching for a while but so far found nothing promising.

Answer 1

You can configure the RBAC into the K8s cluster.

Role for the deployment manager

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager
rules:
- apiGroups: ["*"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Role for developer

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Role binding deployment manager

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
subjects:
- kind: User
  name: admin
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""

Role binding developer

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-manager-binding
subjects:
- kind: User
  name: dev
  apiGroup: ""
roleRef:
  kind: Role
  name: developer
  apiGroup: ""

You can create two new K8s contexts and using that check

kubectl --context=dev-context get pods

You can read more at: https://docs.bitnami.com/tutorials/configure-rbac-in-your-kube.netes-cluster/