Is it possible to restrict the ability of particular users to dynamically provision disks from storageclasses? Or, for example, only allowing particular namespaces to be able to use a storageclass?
Fair warning: I haven't tested this!
StorageClass is just an API endpoint, and RBAC works by restricting access to those endpoints, so in theory this should work just fine:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sc_access
rules:
- apiGroups: ["storage.k8s.io", "core" ]
resources: [ "storageclass" ]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
If that doesn't work, you might be able to restrict access directly via the NonResourceUrls option:
rules:
- nonResourceURLs: ["/storage.k8s.io/v1/storageclasses"]
verbs: ["get", "post"]
Storage resource quota can be used to restrict usage of storage classes
Related
I created an admin role for the namespace and build that so the role got created. However, I wanted to know whether creating a role to a namespace is enough or we need to create a user and configure some additional changes to apply that role? Please suggest.
Here is the role that I've created:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: admin
namespace: temp
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
To read more about RBAC Authorization you can visit the official documentation, additionally there are some ready tutorials about configuring the RBAC like those:
Kubernetes Role-Based Access Control (RBAC)
Mixing Kubernetes Roles, RoleBindings, ClusterRoles, and ClusterBindings
RBAC, Namespaces and Cluster Roles
I want to restrict users under RBAC AKS/kubernetes cluster namespace to fetch only secrets but not TLS secrets. I have my cluster role with the following api permissions. But it does not work iam unable to restrict users from fetching only secrets and not TLS secrets.
Code:
---
#ClusterRole-NamespaceAdmin-RoleGranter
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: clusterrole-ns-admin
rules:
# "Pods" rules
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Nodes" rules - Node rules are effective only on cluster-role-binding
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create","update", "delete"]
# "TLS Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes.io/tls"]
verbs: ["get", "watch", "list"]
Thanks in advance!
Short answer is it's not possible. There is only kind Secret resource in Kubernetes and you can apply RBAC on a kind. There is no separate kind for TLS secret.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: xi-{{instanceId}}
name: deployment-creation
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
In the above example, I permit various operations on pods and jobs.
For pods, the apiGroup is blank. For jobs, the apiGroup may be batch or extensions.
Where can I find all the possible resources, and which apiGroup I should use with each resource?
kubectl api-resources will list all the supported resource types and api-group. Here is the table of resource-types
just to add to #suresh's answer, here is a list of apiGroups
I my 1.9 cluster created this deployment role for the dev user. Deployment works as expected. Now I want to give exec and logs access to developer. What role I need to add for exec to the pod?
kind: Role
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Error message:
kubectl exec nginx -it -- sh
Error from server (Forbidden): pods "nginx" is forbidden: User "dev" cannot create pods/exec in the namespace "dev"
Thanks
SR
The RBAC docs say that
Most resources are represented by a string representation of their name, such as “pods”, just as it appears in the URL for the relevant API endpoint. However, some Kubernetes APIs involve a “subresource”, such as the logs for a pod. [...] To represent this in an RBAC role, use a slash to delimit the resource and subresource.
To allow a subject to read both pods and pod logs, and be able to exec into the pod, you would write:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Some client libraries may do an http GET to negotiate a websocket first, which would require the "get" verb. kubectl sends an http POST instead, that's why it requires the "create" verb in that case.
I have the following clusterrole
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["crontabs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
with the following error on create
jonathan#sc-test-cluster:~$ kubectl create clusterrole role.yml
error: at least one verb must be specified
You either create it from file using -f or by specifying the options using clusterrole, see also the docs, but not both. Try the following:
$ kubectl create -f role.yml