K
Q

How can I control access to storageclasses in Kubernetes?

7/18/2018

Is it possible to restrict the ability of particular users to dynamically provision disks from storageclasses? Or, for example, only allowing particular namespaces to be able to use a storageclass?

-- dippynark
kubernetes

Similar Questions

Pod labeling not possible from within pod using Kubernetes on Docker-EE
Auto-seeding replica labels
Set ALB's DNS name for aws-alb-ingress-controller
Openshift secret in Spring Boot bootstrap.yml
How to limit rabbitmq's queue to wait for ack before send message to other channels

2 Answers

7/19/2018

Storage resource quota can be used to restrict usage of storage classes

-- dippynark
Source: StackOverflow
7/18/2018

Fair warning: I haven't tested this!

StorageClass is just an API endpoint, and RBAC works by restricting access to those endpoints, so in theory this should work just fine:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sc_access
rules:
- apiGroups: ["storage.k8s.io", "core" ]
  resources: [ "storageclass" ]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

If that doesn't work, you might be able to restrict access directly via the NonResourceUrls option:

rules:
- nonResourceURLs: ["/storage.k8s.io/v1/storageclasses"]
  verbs: ["get", "post"]
-- jaxxstorm
Source: StackOverflow