K
Q

Restrict user to access only one service in a namespace

4/30/2019

I have been trying to attempt a scenario where user should be able perform all the operations on the service in a namespace except on one service where he should be able to do only read operations.

Below is the Cluster Role I am using to give access to all the user in cluster level for services.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterRole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - replicationcontrollers
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  - serviceaccounts
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - namespaces
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - replicasets
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

And I have created associated RoleBinding for the above ClusterRole.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: ClusterRole
  name: test-clusterRole
  apiGroup: rbac.authorization.k8s.io

Now, I am trying to create a Role and RoleBinding for the namespace "test-namespace" restricting user "pradeep" to read only access for a specific service "test-service" as following

Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
    name: test-role
    namespace: test-namespace
rules:
  - apiGroups: [""]
    resources: ["services"]
    resourceNames : ["test-service"]
    verbs: ["get","list","watch"]

RoleBinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding1
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: Role
  name: test-role
  apiGroup: rbac.authorization.k8s.io

But, still the user "pradeep" is able to delete the specified service "test-service" for some reason. Is test-clusterRole permissions are overriding the test-role permissions? If so, how can resolve this issue.

If not, Please suggest a way to achieve this scenario.

-- Pradeep Kumar
kubernetes
rbac
roles
service

Similar Questions

How to structure/group Kubernetes Deployments?
How to communicate between services in Kubernetes in a secure way
Kubernetes Java Client API Exception
Change flags to kubernetes api-server running inside Docker for Mac
What should be the memory usage alert criteria for Cockroachdb running in Kubernetes?
K8S rolling update close pods after Readiness probe is healthy
Can't connect to the ETCD of Kubernetes
Mount a local directory to kubernetes pod

1 Answer

4/30/2019

The ClusterRole and Role permissions are additive. The ClusterRole permissions are taking as base permissions for any namespace and Role permissions for specific namespaces are added to that.

If a user should only have access to a single namespace he cannot be assigned to a ClusterRole.

-- Lukas Eichler
Source: StackOverflow