K
Q

Can I create a kubernetes role in 'exclude mode'?

2/2/2021

For example, I want to create a role without "get", "list" or "watch" resource "pod" permissions. Is there any convenient way to quickly create this rule?

rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Pod
  # objects is "pods"
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
-- Anur Sakurakouji
kubernetes

Similar Questions

Is `helm reset --force` meant to be executed once per physical host or once per cluster?
How can A service of Google Cloud Run for Anthos on GKE connect to Firestore on different project of different organization?
NET_ADMIN capability security implications
Is there a way to resize a GKE cluster to 0 nodes after a certain amount of idle time?
How can I use the port of a server running on localhost in kubernetes running spring boot app

1 Answer

2/2/2021

No, roles are purely additive, there are no deny rules.

In the ticket Add Support to Deny RBAC Rules #85963 there is lots of discussions around this. The issue was eventually closed with the follwoing rationale

This is unlikely to make progress as an issue. While there is clear interest, deny rules were considered and decided against during development of RBAC because of the complexity, implications to upgrades, and unclear superuser/non-superuser interactions.

-- danielorn
Source: StackOverflow