I have a Kubernetes cluster where my application is deployed. there are some other users they should only be able to copy files into and from a pod. Using kubectl cp command. This user context should not allow the user to do any other operations on the cluster other than kubectl cp.
Asked
Active
Viewed 1,457 times
3 Answers
2
kubectl cp internally uses exec. There is no way to provide permission to only copy but you can provide only exec permission.
Create a role with permission to pods/exec
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Create a Rolebinding to assign the above role to a user.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-exec-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user
Arghya Sadhu
- 41,002
- 9
- 78
- 107
-
looks helpful will explore more on this – Nagasitaram Thigulla Jun 07 '20 at 05:53
1
Rather than use kubectl cp, instead run a sidecar container with an sftp or rsync server. That will give you better control at all levels.
coderanger
- 52,400
- 4
- 52
- 75
0
You can use opa and admission controller which only permit to run api manifest has a specific label like "cp" or "username" etc. and also benefits from gatekeeper
Bora Özkan
- 73
- 1
- 1
- 8