K
Q

How do I create a Kubernetes RBAC policy on a set of autoscaling pods (or is it even possible)?

3/10/2020

My goal is to create a Kubernetes role to limit kubectl exec access on pods under a specific deployment. I have a policy built below that successfully creates the role when the number & names of my pods are all static. The problem is that my deployment horizontally autoscales so if a new pod is created then the role will not apply to that new pod (since each pod name is explicitly defined in the role) & the new pod will have a random hash appended to its name.

Format below is in Terraform but its the same high level structure as a role defined in yaml

resource kubernetes_cluster_role alb_exec_role {
  metadata {
    name = "alb-exec-role"
  }

  rule {
    api_groups     = [""]
    resources      = ["pods", "pods/log"]
    resource_names = [<pod names>]
    verbs          = ["get", "list"]
  }

  rule {
    api_groups     = [""]
    resources      = ["pods/exec"]
    resource_names = [<pod names>]
    verbs          = ["create"]
  }
}
-- user3088470
kubernetes
rbac

Similar Questions

Is it possible to create a port based ingressroute in k8s?
How to create https endpoint in Google Cloud from http based server for Kubernetes Engine?
Docker Apache: 'chmod: changing permissions of "file" Operation not permitted'
Is it possible to direct certain client traffic to the same pod? Not sticky sessions but clients that need to connect to the same pod

1 Answer

3/10/2020

Foremost, why not remove pod/exec from all Pods in that Role, and then whitelist those which you do tolerate exec-ing into?

That said, the thing you want is likely a custom controller which listens to Pod events in that Namespace and updates the RBAC Role when the new Pod is created or scheduled.

-- mdaniel
Source: StackOverflow