0

With security in mind, I do not want to allow the create verb on Job and CronJob resources because it would allow someone to create a pod (using any image) and expose sensitive information. But I also want to allow the ability to trigger jobs that have already been created on the cluster.

Is there a way to allow the triggering of Jobs and CronJobs in a Kubernetes cluster without assigning the create verb in a Role or ClusterRole RBAC definition?

If not, is there a way to only allow create when the Job or CronJob already exists on the cluster?

I've simply tried the following RBAC definition and was able to create any pod (dangerous) that I wanted.

apiGroups:
  - batch
resources:
  - cronjobs
  - jobs
verbs:
  - get
  - create
greenboi
  • 3
  • 2
  • While Stack Overflow does permit certain questions about Kubernetes, we require that they (like all questions asked here) be specifically related to programming. This question does not appear to be specifically related to programming, which makes it off-topic here. You might be able to ask questions like this one on [sf] or [DevOps](https://devops.stackexchange.com/). – Turing85 Jul 14 '23 at 20:05

1 Answers1

2

  1. You can't "trigger" a Job. A Job is either pending (waiting to run), running, or completed. If it's completed, you can't re-run it; you can only delete and re-create it.

  2. The only way to manually run a CronJob is by...using it as a template to create a Job (kubectl create job --from=cronjob ...).

So in both situations, you need the ability to create a Job.

Lastly:

  1. You can't "allow create when the Job or CronJob already exists", because in that case the resource has already been created. There's nothing to create.
larsks
  • 277,717
  • 41
  • 399
  • 399