I am learning rbac to do access control, here is my role definition:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: foobar-role
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "patch"]
the role allow a subject to access secret, but I wonder is it possible to limit access to a specific path:
apiVersion: v1
data:
keycloak.clientSecret: ...
keycloak.url: ...
user.password: ...
kind: Secret
metadata:
creationTimestamp: "2019-04-21T08:07:21Z"
labels:
app: foobar-ce
heritage: Tiller
release: foobar
name: foobar-secret
namespace: default
resourceVersion: "12348"
selfLink: /api/v1/namespaces/default/secrets/foobar-secret
uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque
For example, is it possible to change the role only is able to
{.data.keycloak\.url}
(read-only){.data.keycloak\.clientSecret}
(write-only)You can limit to a single resource (resourceNames
in the policy), but not beyond that. I don't think the API even supports partial access.