K
Q

allow access to all resources on kubernetes cluster except get nodes

3/4/2019

Team, I have below cluster role on kubernetes that allows access to everything but I wan't to restrict node level commands and allow all rest.

What to modify below? Basically, user should be able to run

kubectl get all --all-namespaces

but not nodes info should NOT display

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin-test
rules: 
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
-- fma abd
kubectl
kubernetes
rbac

Similar Questions

How to restart a GCP Ingress Item To Use Updated Secret
Create helm private repository
Running ElasticSearch and Kibana on K8s Error - Kibana did not load properly. Check the server output for more information
why use configmap with db user pass for k8s postgres
Docker-compose push images built from node alpine and mysql
Kubernetes services with spec type ClusterIP and spec type Nodeport

1 Answer

3/5/2019

Rules are purely additive, means that you cannot restrict rules.

Thus, you will need to list all accessible resources, but "nodes" with appropriate operations

For example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
rules: 
- apiGroups: [""] 
  resources: ["pods","services","namespaces","deployments","jobs"] 
  verbs: ["get", "watch", "list"]

Also, it is highly not recommended to change cluster-admin role. It is worth to create a new role and assign users to it.

-- A_Suh
Source: StackOverflow