Home > Blockchain >  How to carve out exceptions in Kubernetes RBAC
How to carve out exceptions in Kubernetes RBAC

Time:08-30

Use-cases:

  • Grant full access to all resources on the cluster (including the ability to e.g. create new namespaces), except for in certain namespaces such as kube-system.
  • Grant read permissions to all resources in the cluster except for Secrets.

This seems like a really basic set of use-cases that are not obvious how to implement.

CodePudding user response:

  • Grant read permissions to all resources in the cluster except for Secrets.

    kubectl get clusterrole view | grep -v secrets

fix the metadata creating a new ClusterRole. create ClusterRoleBindings using that ClusterRole.

  • Grant full access to all resources ... except in certain namespaces

For this, you would need to create rolebindings in each namespace you want to delegate those privileges to, you won't be able to filter out namespaces by their name.

You could use the clusterrole "admin", and create rolebindings in all your projects. OpenShift would have some defaultProjectTemplate you could customize automatically adding those RoleBindings when provisioning a new namespace. While I don't think traditional Kubernetes have such an option: you might then use a CronJob, say in kube-system, creating those RoleBindings into new namespaces on a schedule.

Page link:https//www.codepudding.com/Blockchain/527559.html

Prev:When is pre-provisioned VolumeSnapshot useful in Kubernetes?
Next:Inheritance with type restriction in typescript
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding