Kubernetes [RBAC]: User with access to specific Pods

8/2/2018

I need to give access to a set of pods within a namespace to an external support. I've been reading about the RBAC API, [Cluster]Roles and [Cluster]Role Bindings; but I could not find anything about how to apply a role to a group of pods (based on annotations or labels). Does anyone know if it is possible to do that?

This is the Role that I use now, and need limit it to a specific pods set:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <ClientX>-PodMonitor
  namespace: <namespace>
rules:
- apiGroups: [""]
  verbs: ["get", "list"]
  resources: ["pods", "pods/log"]

If you guys need more details, please let me know.

Thanks.

-- mvazquez
kubernetes
kubernetes-pod
kubernetes-security
rbac

1 Answer

8/2/2018

Try below way of defining role-binding with resource name as example on docs:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
    namespace: default
    name: configmap-updater
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["my-configmap"]
  verbs: ["update", "get"]
-- Amit
Source: StackOverflow