I need to restrict edit access on a particular configmap in kubernets and for remaining cm everybody should get access.
I tried to modify RBAC in the following way but no luck, still it is allowing me to edit with kubectl.
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["get", "list", "delete", "watch", "create", "patch"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
resource_names = ["test-cm"]
verbs = ["get"]
}
Please find roles below
Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
env_name: dev
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
manager: HashiCorp
operation: Update
time: "2021-12-03T09:37:59Z"
name: id0624-role
namespace: id0624
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- get
- apiGroups:
- ""
resources:
- pods/log
- pods
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- ""
resourceNames:
- test-cm
resources:
- configmaps
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- list
- watch
- create
- patch
- get
- delete
- apiGroups:
- extensions
- batch
resources:
- jobs
verbs:
- list
- watch
- create
- update
- patch
- get
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- watch
- create
- update
- patch
- get
- delete
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- watch
- create
- update
- patch
- get
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- create
- update
- patch
- get
- deleteFind rolebinding below.
We are using AWS IAM roleref.
rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"<name>","namespace":"<name>"},"roleRef":{"apiGroup":"","kind":"Role","name":"<role-name>},"subjects":[{"apiGroup":"","kind":"ServiceAccount","name":"default"}]}
creationTimestamp: "2021-12-03T09:38:00Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: HashiCorp
operation: Update
time: "2021-12-03T09:38:00Z"
name: <my-rolebinding
namespace: <my-namespace>
resourceVersion: "31585147"
uid: 431a8b03-f1b8-43e9-ba44-ab85284b56f9
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: <my-app-name>
subjects:
- kind: ServiceAccount
name: default