user10724620
Reputation:
allow access to all resources on kubernetes cluster except get nodes
Team, I have below cluster role on kubernetes that allows access to everything but I wan't to restrict node level commands and allow all rest.
What to modify below? Basically, user should be able to run
kubectl get all --all-namespaces
but not nodes info should NOT display
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin-test
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
Upvotes: 9
Views: 19421
Answers (1)
A_Suh
Reputation: 3936
Rules are purely additive, means that you cannot restrict rules.
Thus, you will need to list all accessible resources, but "nodes" with appropriate operations
For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list"]
Also, it is highly not recommended to change cluster-admin role. It is worth to create a new role and assign users to it.
Upvotes: 7
Related Questions
- how to control access for pods/exec only in kubernetes rbac without pods create binded?
- K8s cluster role exclude permissions
- Allow only listing of resources using Kubernetes RBAC
- Allow access to subset of K8 resources
- Give access to single pod in kubernetes using RBAC
- Limit access to Kubernetes secret by RBAC
- Kubernetes pod restrictions on cluster or namespace level
- restricting EKS user access
- Limit access to a a kubernetes cluster on google cloud platform
- kubernetes RBAC DENY not preventing access