K
Q

K8S RBAC role to allow everything except namespaces and service accounts

3/17/2020

Consider the RBAC role below. Is it possible to write a more sophisticated regex for resources: that prevents access to service accounts and namespaces but allows everything else?

- apiGroups:
  "*"
  resources:
  "*"
  verbs:
  "*"
-- kgunjikar
kubernetes

Similar Questions

Do you need to manage Node level OS updates when using Kubernetes?
Can't connect to MariaDB by hostname within a Kubernetes cluster
Kubernetes Load Balancer EKS SSL termination issues
Kubernetes connect to MongoDB atlas issue error parsing uri: lookup on 10.96.0.10:53: no such host

1 Answer

4/1/2020

A simple workaround for it is to disable possibility to access resources within namespace. Execute command:

$ kubectl api-resources --namespaced=false

Non-namespaced resources will be returned, otherwise returning namespaced resources by default.

Also while you are using:

  • apiGroups: "*" - this means that you want to grant access for all groups within Kubernetes API (both core API gorups and named groups )

  • resources: "*" - this means that you want to grant access for all resources (get, services, endpoints etc.)

  • verbs: "*" - this means that you want to allow operations on specified objects (get, list, edit etc.).

In your case as you defined you don't prevent access but give it to every object etc.

Take a look on: api-resources.

-- MaggieO
Source: StackOverflow