For example, I want to create a role without "get", "list" or "watch" resource "pod" permissions. Is there any convenient way to quickly create this rule?
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Pod
# objects is "pods"
resources: ["pods"]
verbs: ["get", "list", "watch"]
No, roles are purely additive, there are no deny rules.
In the ticket Add Support to Deny RBAC Rules #85963 there is lots of discussions around this. The issue was eventually closed with the follwoing rationale
This is unlikely to make progress as an issue. While there is clear interest, deny rules were considered and decided against during development of RBAC because of the complexity, implications to upgrades, and unclear superuser/non-superuser interactions.