Strip down superuser

Ahoy.

I’ve spent the last few weeks trying to setup a secure GKE cluster. But I’ve hit a wall where it seems impossible to find a solution to my (seemingly) simple issue.

I want to block myself and everyone else from reading secret and running kubectl exec on a specific customer pod. I’ve tried bruteforce solutions like in this blog post, but I start thinking there is no way to achieve what I need since deleiting every single clusterole and its binding doesn’t affect me when I run kubectl.

Is there a way to apply RBAC on a pod and its secrets from EVERYONE (sysyadmins, devs, owners)?

Cluster information:

Kubernetes version: 1.24.9-gke.3200
Cloud being used: GKE
Installation method:
Host OS: Container OS
CNI and version: Cilium
CRI and version: