K8s cluster role exclude permissions

Question

Is there a way to create a K8s cluster role with full access (all resources, verbs and apigroups on any namespaces) but no commands execution on all namespaces for example: kubectl delete pods --all-namespaces or kubectl delete pv --all-namespaces?

(Running the same commands on a single namespace should be allowed, just not in bulk to all namespaces).

If this cannot be achieved with a cluster role, is there another way to achieve it?

Answer 1

What if bind clusterrole to only needed namespaces and not give permissions to restricted ones? Thats not full solution, at least user wont be able to delete not needed ones. And strictly answering your question - not sure this is possible.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: testsa
  namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: testclusterrole
rules:
- apiGroups: [""]
  resources: ["pods","services","namespaces","deployments","jobs"]
  verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: job-master-1
  namespace: namespace1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: testclusterrole
subjects:
- kind: ServiceAccount
  name: testsa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: job-master-2
  namespace: namespace2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: job-master
subjects:
- kind: ServiceAccount
  name: satestsa  namespace: default