We've multiple k8s clusters which are used by many teams for their microservices. We've restricted the kubectl access to the limited members only. But many times we get a request for allowing readonly kubectl access.
Many on k8s clusters are running on ec2 & provisioned via kops. Version details :
$ kubectl version --short
Client Version: v1.13.0
Server Version: v1.11.6
---
$ kops version
Version 1.12.2
I tried to create a test-pod with kubectl installed in it which readonly clusterrole & clusterrolebinding attached. I can see that the kubectl from within the pod can have readonly access but it needs me to kubectl exec into the pod. So, I don't know how can I restrict this access ?
I have tried this but still don't know how to restrict access.
You need to make users in whatever authentication system you are using and then set the role binding to be aimed at those users, not a service account. Service accounts are for services, not humans.