peteyuan
Reputation: 1344
how to control access for pods/exec only in kubernetes rbac without pods create binded?
I checked the kubernetes docs, find that pods/exec resources has no verb, and do not know how to only control access for it? Since I create a pod, someone else need to access it use 'exec' but cannot create anything in my cluster.
How to implement this?
Upvotes: 31
Views: 42839
Answers (2)
user18576163
Reputation: 1
Maybe you can try this kubectl plugin: https://github.com/zhangweiqaz/go_pod
kubectl go -h
kubectl exec in pod with username. For example:
kubectl go pod_name
Usage:
go [flags]
Flags:
-c, --containerName string containerName
-h, --help help for go
-n, --namespace string namespace
-u, --username string username, this user must exist in image, default: dev
Upvotes: 0
peteyuan
Reputation: 1344
Since pods/exec is a subresource of pods, If you want to exec a pod, you first need to get the pod, so here is my role definition.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Upvotes: 68
Related Questions
- kubernetes RBAC role verbs to exec to pod
- allow access to all resources on kubernetes cluster except get nodes
- Allow only listing of resources using Kubernetes RBAC
- Give access to single pod in kubernetes using RBAC
- K8S RBAC role to allow everything except namespaces and service accounts
- Limit access to Kubernetes secret by RBAC
- Kubernetes pod restrictions on cluster or namespace level
- Kubernetes RBAC: How to allow exec only to a specific Pod created by Deployment
- restricting EKS user access
- Kubernetes [RBAC]: User with access to specific Pods