K8s cluster role exclude permissions
Question
Is there a way to create a K8s cluster role with full access (all resources, verbs and apigroups on any namespaces) but no commands execution on all namespaces for example: kubectl delete pods --all-namespaces or kubectl delete pv --all-namespaces ?
(Running the same commands on a single namespace should be allowed, just not in bulk to all namespaces).
If this cannot be achieved with a cluster role, is there another way to achieve it?
1 answers
solution1
1 2022-02-21 15:44:18
What if bind clusterrole to only needed namespaces and not give permissions to restricted ones? Thats not full solution, at least user wont be able to delete not needed ones. And strictly answering your question - not sure this is possible.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: testclusterrole
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-1
namespace: namespace1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testclusterrole
subjects:
- kind: ServiceAccount
name: testsa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-2
namespace: namespace2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: job-master
subjects:
- kind: ServiceAccount
name: satestsa namespace: default
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.