Reputation: 13753
Allow access to subset of K8 resources
I granted read access to pod
Sample:
kubectl create serviceaccount sa1
kubectl create role pod-reader --verb=get --resource=pods
kubectl create rolebinding sa1-binding --serviceaccount=default:sa1 --role=pod-reader
Is there any way to restrict this access to selected pods on the basis of metadata or labels?
Upvotes: 0
Views: 379
Answers (2)
Reputation: 470
As discussed in the comments, you can use resourceNames to provide access to selected resources.
Here is an excerpt from k8s docs.
Example,
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing ConfigMap
# objects is "configmaps"
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update", "get"]
Also, You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.
Upvotes: 1
Reputation: 1744
As far as I'm aware, it's not possible to limit roles to certain labels. Actually there was an issue related to this opened here: https://github.com/kubernetes/kubernetes/issues/44703
With RBAC you're specifying access to resources, which are part of API groups and you select what verbs can be executed - that's all.
Upvotes: 1
Related Questions
- Restricted user in K8s need CRD's access
- k8s - give permission for all resources
- allow access to all resources on kubernetes cluster except get nodes
- K8s cluster role exclude permissions
- Allow only listing of resources using Kubernetes RBAC
- Give access to single pod in kubernetes using RBAC
- K8S RBAC role to allow everything except namespaces and service accounts
- Kubernetes pod restrictions on cluster or namespace level
- restricting EKS user access
- Kubernetes [RBAC]: User with access to specific Pods