Ahoy.
I’ve spent the last few weeks trying to setup a secure GKE cluster. But I’ve hit a wall where it seems impossible to find a solution to my (seemingly) simple issue.
I want to block myself and everyone else from reading secret and running kubectl exec on a specific customer pod. I’ve tried bruteforce solutions like in this blog post, but I start thinking there is no way to achieve what I need since deleiting every single clusterole and its binding doesn’t affect me when I run kubectl.
Is there a way to apply RBAC on a pod and its secrets from EVERYONE (sysyadmins, devs, owners)?
Cluster information:
Kubernetes version: 1.24.9-gke.3200
Cloud being used: GKE
Installation method:
Host OS: Container OS
CNI and version: Cilium
CRI and version: