K
Q

RBAC role to manage single pod with dynamic name

12/24/2019

I need to grant access to one deployment and all pods of this deployment using RBAC. I've managed to configure Role and RoleBinding for the deploymet, and it's working fine:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments"]
    resourceNames: ["<deployment>"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: <deployment>-manager-binding
  namespace: <my-namespace>
subjects:
  - kind: User
    name: <username>
    apiGroup: ""
roleRef:
  kind: Role
  name: <deployment>-manager-role
  apiGroup: ""

Using this role user can access, update and patch the deployment. This deployment creates pods with dynamic names (like <deployment>-5594cbfcf4-v4xx8). I tried to allow this user to access these pods (get, list, watch, read logs, exec, delete) using deployment name and using deployment name + wildcard char *:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-pods-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["pods"]
    resourceNames: ["<deployment>*"]
    verbs: ["get", "list", "watch", "update", "patch", "exec", "delete"]

I also updated the role binding. But when I try to get the pod:

kubectl --context=<username>-ctx -n <namespace> get pods <deployment>-5594cbfcf4-v4xx8

I'm getting error:

Error from server (Forbidden): pods "<deployment>-5594cbfcf4-v4xx8" is forbidden: User "<username>" cannot get resource "pods" in API group "" in the namespace "<namespace>"

If I add <deployment>-5594cbfcf4-v4xx8 to the list of resourceNames, user can access this pod.

Is it possible to grant access to the specific pods based on deployment name?

-- Kirill
kubernetes
kubernetes-deployment
kubernetes-pod
rbac
roles

Similar Questions

http request always blocked in container of k8s cluster pod
setting up rabbitmq in k8s with nginx ingress controller
pods container (podsgke) and CPU usage
coredns can't start when using crio and with selinux on
DestinationRule is not applied on ServiceEntry
&#39;realpath(): Permission denied&#39; when running dotnet ef command as non-root in dotnet/sdk:3.1-bullseye container on k8s
Using the Python kubernetes API, is there a way to list secrets in &quot;my current namespace&quot;?
Why kubernetes uses bost Rest API and gRPC?
no resource found after deploy issuer of cert manager in kops aws
Get helm release values (helm show values) via the Kubernetes Dashboard

1 Answer

12/24/2019

In Kubernetes, pods are considered as an ephemeral "cattle", they come and go. You shouldn't try to manage RBAC per pod.

In your use case, there is unfortunately no way to grant a role over a set of pods matching a certain name, because the resourceNames field doesn't support patterns like prefixes/suffixes. Don't get confused: a single asterisk character ('*') has a special meaning that means "all", but it's not a pattern. So, 'my-app-* in resourceNames will not work. There were tickets opened for this feature, but it wasn't implemented:
https://github.com/kubernetes/kubernetes/issues/56582

There was also a request to be able to manage RBAC over labels, but that feature isn't implemented neither:
https://github.com/kubernetes/kubernetes/issues/44703

Therefore, you probably need to change your model to grant roles to users to manage all pods in a certain namespace. Your deployment should be the only "source of pods" in that namespace. That way, you will not need to specify any resource names.

-- Utku Ă–zdemir
Source: StackOverflow