K
Q

could kubernetes rbac control access path in secret

4/21/2019

I am learning rbac to do access control, here is my role definition:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: foobar-role
  labels:
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "patch"]

the role allow a subject to access secret, but I wonder is it possible to limit access to a specific path:

apiVersion: v1
data:
  keycloak.clientSecret: ...
  keycloak.url: ...
  user.password: ...
kind: Secret
metadata:
  creationTimestamp: "2019-04-21T08:07:21Z"
  labels:
    app: foobar-ce
    heritage: Tiller
    release: foobar
  name: foobar-secret
  namespace: default
  resourceVersion: "12348"
  selfLink: /api/v1/namespaces/default/secrets/foobar-secret
  uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque

For example, is it possible to change the role only is able to

  • view {.data.keycloak\.url} (read-only)
  • update {.data.keycloak\.clientSecret} (write-only)
-- qrtt1
kubernetes

Similar Questions

Flyway - Springboot - Kubernetes
Kubernetes: mysql pod failed to open log file /var/log/pods/
How can you scale Wordpress in Kubernetes cluster - using multiple pod replicas, - accessing a single PVC (persistent file storage)
Error "no persistent volumes available for this claim and no storage class is set"
Exposing Docker container port in Kubernetes config
kubernetes cluster adding windows node
What metrics Kubernetes scheduler depends on?
why node is not part of namespace?
Pulumi pods failed to fully initilialize or become live in gcp
Kubernetes single node cluster: dns not working after deploy new image

1 Answer

4/22/2019

You can limit to a single resource (resourceNames in the policy), but not beyond that. I don't think the API even supports partial access.

-- coderanger
Source: StackOverflow