I want to create kubernetes service account and roles/rbac which will grant permission to patch/update annotations of deployment. service account should not able to perform any other update on kubernetes deployment. It should have upgrade and patch permission on metadata section only.
Asked
Active
Viewed 1,267 times
0
-
Please provide more information about your current setup - which Kubernetes version are you using, which solution did you use to setup a cluster (kubeadm or some cloud provider solution etc.). – Bazhikov Dec 16 '21 at 08:46
1 Answers
0
I will give you an example on how you can create your service account depending your needs, you can take my example and easily modify, it looks something like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # it can be ClusterRole if you want your service account for all nodes and across all namespaces
metadata:
namespace: default # if can specify any your working namespace
name: depl-patch-role
rules:
- apiGroups: [""] # "" indicates the core API group, you can set any specific group
resources: ["deployments"]
verbs: ["update", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: depl-patch-sa
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: depl-patch-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: depl-patch-sa
apiGroup: "" # same as above
roleRef:
kind: Role
name: depl-patch-role
apiGroup: ""
Hope this helps. You can find more info about roles/rbac in official documentation
Bazhikov
- 765
- 3
- 11
-
nope.this will give permission to patch anything. What i want is to allow patch of specifc section. – Akshay Gopani Dec 29 '21 at 08:32
-
@AkshayGopani, there is no such built-in possibility, feel free to create a python script to do so – Bazhikov Jan 17 '22 at 19:38