could kubernetes rbac control access path in secret

4/21/2019

I am learning rbac to do access control, here is my role definition:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: foobar-role
  labels:
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "patch"]

the role allow a subject to access secret, but I wonder is it possible to limit access to a specific path:

apiVersion: v1
data:
  keycloak.clientSecret: ...
  keycloak.url: ...
  user.password: ...
kind: Secret
metadata:
  creationTimestamp: "2019-04-21T08:07:21Z"
  labels:
    app: foobar-ce
    heritage: Tiller
    release: foobar
  name: foobar-secret
  namespace: default
  resourceVersion: "12348"
  selfLink: /api/v1/namespaces/default/secrets/foobar-secret
  uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque

For example, is it possible to change the role only is able to

  • view {.data.keycloak\.url} (read-only)
  • update {.data.keycloak\.clientSecret} (write-only)
-- qrtt1
kubernetes

1 Answer

4/22/2019

You can limit to a single resource (resourceNames in the policy), but not beyond that. I don't think the API even supports partial access.

-- coderanger
Source: StackOverflow