Modify ClusterRole for Kubernetes

Question

I want to use the ClusterRole edit for some users of my Kubernetes cluster (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles).

However, it is unfortunate that the user can be accessing and modifying Resource Quotas and Limit Ranges.

My question is now: How can I grant Users via a RoleBinding access to a namespace, such that the Role is essentially the CluserRole edit, but without having any access to Resource Quotas and Limit Ranges?

score 2 · Accepted Answer · answered Jan 12 '22 at 00:03

2

The edit role gives only read access to resourcequotas and limitranges:

- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch

If you want a role that doesn't include read access to these resources, just make a copy of the edit role with those resources excluded.

answered Jan 12 '22 at 00:03

larsks

277,717
41
399
399

Many thanks for your reply. Could you tell me where I could get the rights etc. (In yaml format or whatever) for each ClusterRole? – tobias Jan 12 '22 at 08:35
`kubectl get clusterrole edit -o yaml` – larsks Jan 12 '22 at 11:33

Modify ClusterRole for Kubernetes

1 Answers1