Reputation: 11
k8s access control to single pod
I am trying to set access control for using the "shell" UI button on the deploy dashboard, and only need this for one single pod. By using the k8s RBAC auth model, I need something like this and binding to a role:
- apiGroups: [""]
resources: ["pods/exec"]
resourceNames: [“api-server-f5b95446b-58wz4”]
verbs: ["create"]However, the postfix "-f5b95446b-58wz4" is randomly generated during deploy time, and it will change constantly. So this solution won't work.
If the resourceNames could support wild card string then it will resolve my issue, but looks like it is a known gap and not supported ATM (https://github.com/kubernetes/kubernetes/issues/56582)
Anyone idea if there is better way that I can achieve this? Thanks!
Upvotes: 1
Views: 456
Answers (1)
Reputation: 15568
You can use a policy engine like Kyverno to control what can/cannot. Example, prevent exec into to a specific pod filter by name like this.
Upvotes: 1
Related Questions
- What is a Policy for controlling access in Kubernetes?
- k8s - give permission for all resources
- Deny and allow traffic between pods in Kubernetes
- Azure kubernetes - Secure pod access to resources
- Give access to single pod in kubernetes using RBAC
- k8s securityContext bypass
- Can I have a K8s pod per user/firm?
- Unique access to Kubernetes resources
- How to secure kubectl access?
- Kubernetes Securing services