K
Q

Kubernetes RBAC cluster-admin without secret reading permission

10/29/2018

Is it possible to create a Kubernetes cluster admin without the ability to read namespace secrets?

I know you can create a ClusterRole and list every single resource and omit secret but seems unintuitive.

Can you use Aggregated ClusterRoles to remove a permission? so using ClusterRole cluster-admin and have a role that uses:

rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: [""]
-- Raja
kubernetes
rbac

Similar Questions

How do I see a list of all minikube clusters running in Docker on my mac?
Kubernetes on Windows: Can't connect to Pods from node host server or Internet
Kubernetes multiple pods communication
Delay kubernetes pod creation for zero downtime

1 Answer

10/29/2018

Not really Aggregated Cluster Roles is a set union of several ClusterRoles. To get the behavior you want you would need a set subtraction of cluster-admin role minus the rules that you have defined. It's not supported in K8s as of this writing.

-- Rico
Source: StackOverflow