0

I want to restrict users under RBAC AKS/kubernetes cluster namespace to fetch only secrets but not TLS secrets. I have my cluster role with the following api permissions. But it does not work iam unable to restrict users from fetching only secrets and not TLS secrets.

Code:

---
#ClusterRole-NamespaceAdmin-RoleGranter
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: clusterrole-ns-admin
rules:
  # "Pods" rules
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
  # "Nodes" rules - Node rules are effective only on cluster-role-binding
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
  # "Secrets" rules
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch", "create","update", "delete"]
  # "TLS Secrets" rules
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes.io/tls"]
  verbs: ["get", "watch", "list"]

Thanks in advance!

CloudA2Z
  • 99
  • 1
  • 4

1 Answers1

2

Short answer is it's not possible. There is only kind Secret resource in Kubernetes and you can apply RBAC on a kind. There is no separate kind for TLS secret.

Arghya Sadhu
  • 41,002
  • 9
  • 78
  • 107
  • thanks allot is there any best way to tackle this scenario especially when we r using a RBAC enabled multitenant AKS cluster ? – CloudA2Z Mar 16 '20 at 22:03