Question posted in
The official documentation can be found here.

Redis – Allow only listing of resources using Kubernetes RBAC

I want to allow only listing of resources and not the manifest content.

Example,

NAME                                 READY   STATUS    RESTARTS   AGE
airflow-redis-0                      1/1     Running   0          32h
airflow-postgresql-0                 1/1     Running   0          32h
airflow-scheduler-9416ddfd6f-n7jcr   2/2     Running   0          32h
airflow-webserver-9bf7f3c95c-kf1fx   1/1     Running   0          32h
airflow-worker-0                     2/2     Running   0          4h8m

With GET permission users can see the manifest of the pod individually. For example, kubectl describe pod airflow-worker-0 -n airflow

Similarly, with LIST permission users can see the manifest of all the pods with commands like – kubectl get pod --output=json

Is it possible to restrict manifest access and just allow the listing of resources in K8 RBAC?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Showing only a listing of resources and not the object content is not possible by using any of the RBAC request verbs.

    list can't be used. It provides the listing but will also allow accessing full object content.


  2. 0

    If you want to restrict users to only list resources, you should create a role with get verb.
    Role example in official documentations shows it quite well

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

    So, to restrict to e.g. only get pods – change verbs to

    verbs: ["get"]

    If you want to also allow listing e.g. deployments – change resources to

    resources: ["pods", "deployments"]

    As you already noticed, list gives permission to full object content.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search