Can I create a kubernetes role in 'exclude mode'?

2/2/2021

For example, I want to create a role without "get", "list" or "watch" resource "pod" permissions. Is there any convenient way to quickly create this rule?

rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Pod
  # objects is "pods"
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
-- Anur Sakurakouji
kubernetes

1 Answer

2/2/2021

No, roles are purely additive, there are no deny rules.

In the ticket Add Support to Deny RBAC Rules #85963 there is lots of discussions around this. The issue was eventually closed with the follwoing rationale

This is unlikely to make progress as an issue. While there is clear interest, deny rules were considered and decided against during development of RBAC because of the complexity, implications to upgrades, and unclear superuser/non-superuser interactions.

-- danielorn
Source: StackOverflow