Kubernetes RBAC: How to allow exec only to a specific Pod created by Deployment

10/23/2018

I have an application namespace with 30 services. Most are stateless Deployments, mixed with some StatefulSets etc. Fairly standard stuff that is.

I need to grant a special user a Role that can only exec into certain Pod. Currently RBAC grants the exec right to all pods in the namespace, but I need to tighten it down.

The problem is Pod(s) are created by a Deployment configurator, and the Pod name(s) are thus "generated", configurator-xxxxx-yyyyyy. Since you cannot use glob (ie. configurator-*), and Role cannot grant exec for Deployments directly.

So far I've thought about:

  • Converting Deployment into StatefulSet or a plain Pod, so Pod would have a known non-generated name, and glob wouldn't be needed
  • Moving the Deployment into separate namespace, so the global exec right is not a problem

Both of these work, but neither is optimal. Is there a way to write a proper Role for this?

-- Tuminoid
kubernetes
rbac

1 Answer

10/23/2018

RBAC, as it is meant by now, doesn't allow to filter resources by other attributes than namespace and resource name. The discussion is open here.

Thus, namespaces are the smallest piece at authorizing access to pods. Services must be separated in namespaces thinking in what users could need access to them.

The optimal solution right now is to move this deployment to another namespace since it needs different access rules than other deployments in the original namespace.

-- Ignacio Millán
Source: StackOverflow