Team, I have below cluster role on kubernetes that allows access to everything but I wan't to restrict node level commands and allow all rest.
What to modify below? Basically, user should be able to run
kubectl get all --all-namespaces
but not nodes info should NOT display
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin-test
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
Rules are purely additive, means that you cannot restrict rules.
Thus, you will need to list all accessible resources, but "nodes" with appropriate operations
For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list"]
Also, it is highly not recommended to change cluster-admin role. It is worth to create a new role and assign users to it.
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加