K
Q

simplify creation of kubernetes RBAC definition

10/29/2019

i would like to create a new cluster-role that is basically the same as the cluster-admin but without the ability for users to:

1) create, modify or delete PVs 2) create, modify or delete namespaces. 3) prevent view, create, modify, delete of new rbac permissions.

How do i do this?

i was trying to take inspiration fro the cluster-admin role, but everything was specified as with *.

-- yee379
kubernetes
rbac
roles
yaml

Similar Questions

Is there a way to edit codes in kubernetes pods using VS Code?
Pod cannot pull image from private docker registry
Django Postgres user vs apache user
How to use Helm to configure aws-alb-ingress-controller/alb.ingress.kubernetes.io/web-acl-id with aws waf?

2 Answers

10/29/2019

you need to create rules for each resource as shown below

rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
-- P Ekambaram
Source: StackOverflow
10/29/2019

There are unfortunately no "negative" permissions, so that you could start from all permissions (with *) and then take away specific permissions. If you don't want all items of a set (which you could specify with *), you have to enumerate all of those items that you want.

You can find a complete list of resources and their API groups with:

kubectl api-resources

In your case, PVs and namespaces are in the core API group and RBAC resources are in the rbac.authorization.k8s.io API group. So, it's only in these two API groups that you would need to enumerate all resources that you want to grant permissions for. Regarding all the other API groups, you can just list them in a single RBAC rule and set resources and verbs to *.

Your ClusterRole definition might look something like this (however, the precise set of API groups and resources might be different in your cluster):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-cluster-admin
rules:
  # Read permissions for PVs and namespaces in the core API group
  - apiGroups: [""]
    resources: [persistentvolumes, namespaces]
    verbs: [get, list]
  # Full permissions for all other resources in the core API group
  - apiGroups: [""]
    resources: [bindings, componentstatuses, configmaps, endpoints, events, limitranges, nodes, persistentvolumeclaims, pods, podtemplates, replicationcontrollers, resourcequotas, secrets, serviceaccounts, services]
    verbs: ['*']
  # Full permissions for all API groups except "core" and "*.authorization.k8s.io"
  - apiGroups: [admissionregistration.k8s.io, apiextensions.k8s.io, apiregistration.k8s.io, apps, authentication.k8s.io, autoscaling, batch, certificates.k8s.io, coordination.k8s.io, crd.k8s.amazonaws.com, events.k8s.io, extensions, monitoring.coreos.com, networking.k8s.io, policy, scheduling.k8s.io, storage.k8s.io]
    resources: ['*']
    verbs: ['*']
  # Full permissions for all non-resource URLs
  - nonResourceURLs: ['*']
    verbs: ['*']

You can generate the list of API groups and resources by doing some text manipulation on the output of kubectl api-resources.

The definition has four rules which should achieve what you want:

  1. Only read permissions for PVs and namespaces
  2. Full permissions for all other resources (except PVs and namespaces) in the core API group
  3. Full permissions for all API groups except core and *.authorization.k8s.io (there are no permissions for *.authorization.k8s.io at all)
  4. Full permissions for all non-resource URLs
-- weibeld
Source: StackOverflow