Reputation: 81
can kubernetes role override clusterrole?
For example I have a role that gives permission to user get list of pods from specific namespace. And I have a clusterRole that gives permission to user get list of pods from all namespaces.
can user get all pods from all namespaces? or does role override clusterRole because role is more specific?
I know this doesn't make sense. But what if I do it by mistake?
Upvotes: 0
Views: 872
Answers (2)
Reputation: 1012
In kubernetes ClusterRole takes precedence over the Roles. Because the Role is bound to a certain namespace whereas the ClusterRole is a non-namespaced resource. Whenever a user requests for resources, the kubernetes will check the roles and clusterroles assigned to that user or service account.
If there is any conflict between Roles and ClusterRoles then the ClusterRole overrides the Role permissions for a user or service account in kubernetes.
For more detailed information refer to the Official RBAC Document
Upvotes: 1
Reputation: 4622
As per https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
Permissions are purely additive (there are no "deny" rules).
That means you can't get less rights, only more if user is bound to multiple Roles or ClusterRoles
Upvotes: 1
Related Questions
- Listing all resources in a namespace
- How to switch namespace in kubernetes
- Service located in another namespace
- How can I make a helm chart that creates a clusterrole that allows the creation, view, and deletion of pods in a specific namespace?
- Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
- KubernetesClientException: ClusterRole or Role
- Kubernetes RBAC cluster-admin without secret reading permission