How to make Kubernetes read-only

8/15/2019

Is there a way we can make Kubernetes read-only? I would like to temporarily disallow making changes to my K8s cluster for sometime, but continue to allow all get operations. And then turn it back on.

-- UnderWood
docker
kubernetes
microservices
readonly
yaml

1 Answer

8/17/2019

As far as I know, there is no easy switch to do it.

As I understand, you use a multi-tenant Kubernetes cluster - multiple users are working on it and can do operations. In this case, I assume only one person is the cluster admin. And as the admin, you want to prevent everybody else from any write operations (but not yourself), and turn write access back on after certain period.

So, the best way I can think of is, assuming you have RBAC enabled in your cluster, you can find out which Role/RoleBinding/ClusterRole/ClusterRoleBindings are giving your users the rights to modify the resources on the cluster. Then, you can write a script that exports those resources, deletes them from the cluster, and creates new ones that only gives view access.

When you want to turn write access back on, you can delete the view-only resources you created, and re-apply the previous resources - put everything back to their places.

Writing this script wouldn't be trivial. You would need to go through RBAC docs quite well to understand how it works.

-- Utku Ă–zdemir
Source: StackOverflow