Reputation: 21
Openshift - RBAC rolebinding limit permission
I am currently trying to implement a role that can just manage permission for certain namespaces. The goal of this role is to be able to give the role view and edit to other users in namespace where the account which will have the managerrole will be in.
The problem I am facing is that I can currently give the role edit and view, but I can give those roles to the managerrole account as well. That allows him to read secrets of a namespace and I do not want that.
Furthermore, the managerrole can also delete rolebindings that are above his current permissions (e.g. managerrole can delete a rolebinding of an admin of the namespace).
Basically, I would like to restrict the managerrole so it :
- Cannot give to himself the role edit (rolebinding for specific namespace)
- Cannot delete rolebinding above his role (rolebinding for specific namespace - e.g. admin)
Upvotes: 2
Views: 207
Answers (1)
Reputation: 374
Its not possible for managerole to not have edit /view permissions for itself because it can only manage the same for others if has those permissions for itself.
for example , an administrator can only provide admin permissions to someone else if he himself has the same or more permissions.
Upvotes: 1
Related Questions
- RBAC: keep the rights to the "list" of secrets and restrict the "list" of several secrets by name
- Openshift custom resources restrictions
- Kubernetes RBAC set subtraction / cluster-admin without capabilities
- List permission of specific user in openshift
- RBAC nested permissions
- RoleBinding not granting permissions
- Allow everyone in RoleBinding for a namespace
- Openshift : no RBAC policy matched
- Is Kubernernetes' RBAC the same as OpenShift's access control?
- OpenShift superuser permissions