How can I setup cluster role or role to deny access to certain resources?

sunil106 · July 21, 2021, 10:24am

How can I setup Role or Cluster Role to deny access to certain resources?

for instance, Role to deny access to certain pods in specific namespace.

protosam · July 21, 2021, 4:34pm

That should be rules.resourceNames in the Role or ClusterRole.

The Using RBAC Authorization | Kubernetes document has an example of referring to resources. That link is directly to it.

Here is an API doc with just the available values for Roles: ClusterRole | Kubernetes

sunil106 · July 23, 2021, 1:12pm

I saw same link before which answers question.

Permissions are purely additive (there are no “deny” rules).

protosam · July 23, 2021, 2:57pm

Yep there aren’t deny rules. You just set rules.resourceNames to the limited set of resources you want to permit access to. This is more secure.

Though if you absolutely must, you could probably take advantage of admission webhooks with some code.

There’s some tools that already exist that take advantage of admission webhooks like jspolicy and Kyverno. Regarding Kyverno, they have a flaw in their default settings that I would call a vulnerability.

sunil106 · July 24, 2021, 4:50am

Thanks for pointing to right direction, we are thinking to implement OPA/Gatekeeper

Topic		Replies	Views
Do we have the option to exclude resourceNames in k8s role microk8s	3	1158	March 28, 2021
How to limit the scope of Namespace with ClusterRole? General Discussions development	4	11762	August 31, 2022
Pod creation - permission General Discussions	0	446	February 7, 2020
Permissions to create a pod General Discussions	0	431	February 7, 2020
Kubernetes RBAC microk8s	0	352	March 29, 2021