How can I setup cluster role or role to deny access to certain resources?

How can I setup Role or Cluster Role to deny access to certain resources?

for instance, Role to deny access to certain pods in specific namespace.

That should be rules.resourceNames in the Role or ClusterRole.

The Using RBAC Authorization | Kubernetes document has an example of referring to resources. That link is directly to it.

Here is an API doc with just the available values for Roles: ClusterRole | Kubernetes

I saw same link before which answers question.

Permissions are purely additive (there are no “deny” rules).

Yep there aren’t deny rules. You just set rules.resourceNames to the limited set of resources you want to permit access to. This is more secure.

Though if you absolutely must, you could probably take advantage of admission webhooks with some code.

There’s some tools that already exist that take advantage of admission webhooks like jspolicy and Kyverno. Regarding Kyverno, they have a flaw in their default settings that I would call a vulnerability.

Thanks for pointing to right direction, we are thinking to implement OPA/Gatekeeper