K
Q

Kubernetes service account with upgrade/patch permission to annotation of deployment

12/15/2021

I want to create kubernetes service account and roles/rbac which will grant permission to patch/update annotations of deployment. service account should not able to perform any other update on kubernetes deployment. It should have upgrade and patch permission on metadata section only.

-- Akshay Gopani
kubernetes
kubernetes-deployment
kubernetes-rbac
kubernetes-security

Similar Questions

error validating data when creating Kubernetes Deployment manifest
Errors when deploying ibm-eventstreams-dev into local environment
Modify internalip of node in kubernetes
Intermittent failure creating container on Kubernetes - failing to mount default token
Automate helm chart installation when new Kubernetes namespace is created

1 Answer

12/24/2021

I will give you an example on how you can create your service account depending your needs, you can take my example and easily modify, it looks something like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role # it can be ClusterRole if you want your service account for all nodes and across all namespaces
metadata:
  namespace: default # if can specify any your working namespace
  name: depl-patch-role
rules:
- apiGroups: [""] # "" indicates the core API group, you can set any specific group
  resources: ["deployments"]
  verbs: ["update", "patch"]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: depl-patch-sa

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: depl-patch-rolebinding
  namespace: default
subjects:
- kind: ServiceAccount
  name: depl-patch-sa
  apiGroup: "" # same as above
roleRef:
  kind: Role
  name: depl-patch-role
  apiGroup: ""

Hope this helps. You can find more info about roles/rbac in official documentation

-- Bazhikov
Source: StackOverflow