tobias
Reputation: 839
Modify ClusterRole for Kubernetes
I want to use the ClusterRole edit for some users of my Kubernetes cluster (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles).
However, it is unfortunate that the user can be accessing and modifying Resource Quotas and Limit Ranges.
My question is now: How can I grant Users via a RoleBinding access to a namespace, such that the Role is essentially the CluserRole edit, but without having any access to Resource Quotas and Limit Ranges?
Upvotes: 0
Views: 1377
Answers (1)
larsks
Reputation: 311516
The edit role gives only read access to resourcequotas and limitranges:
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
If you want a role that doesn't include read access to these resources, just make a copy of the edit role with those resources excluded.
Upvotes: 2
Related Questions
- How to bind roles with service accounts - Kubernetes
- How to configure a ClusterRole for namespaced resources
- K8s cluster role exclude permissions
- Cannot list or delete ClusterRole or ClusterRoleBinding with a Kubernetes ServiceAccount
- how to unbind a role/cluster role from a service account in k8s
- How do I give myself permission to create clusterrolebindings on Kubernetes?
- how to edit kubernetes cluster role define
- How to find which role or clusterrole binded to a service account in Kubernetes?
- Kubernetes RBAC apiGroup field in RoleBinding and ClusterRoleBinding
- Unable to attach a ClusterRoleBinding to a Kubernetes ServiceAccount