how to control access for pods/exec only in kubernetes rbac without pods create binded?

kubernetes rbac
peteyuan picture peteyuan · Nov 24, 2017 · Viewed 12.8k times · Source

I checked the kubernetes docs, find that pods/exec resources has no verb, and do not know how to only control access for it? Since I create a pod, someone else need to access it use 'exec' but cannot create anything in my cluster.

How to implement this?

Answer

peteyuan picture peteyuan · Nov 27, 2017

Since pods/exec is a subresource of pods, If you want to exec a pod, you first need to get the pod, so here is my role definition.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

Related questions

Create user in Kubernetes for kubectl

I need to create users to assign them permissions with RBAC, I create them as follows: echo -n "lucia" | base64 bHVjaWE= echo -n "pass" | base64 cGFzcw== apiVersion: v1 kind: Secret metadata: name: lucia-secret type: Opaque data: username: bHVjaWE= password: cGFzcw== …

Read More
how to check whether RBAC is enabled, using kubectl

I'm trying to install a helm package on a kubernetes cluster which allegedly has RBAC disabled. I'm getting a permission error mentioning clusterroles.rbac.authorization.k8s.io, which is what I'd expect if RBAC was enabled. Is there a …

Read More
Kubernetes namespace default service account

If not specified, pods are run under a default service account. How can I check what the default service account is authorized to do? Do we need it to be mounted there with every pod? If not, how can we …

Read More